From 250b67fc6f9b1ab8eff52ee8227564b4c9cc5772 Mon Sep 17 00:00:00 2001 From: Armin Kuster Date: Wed, 26 Apr 2023 09:55:05 -0400 Subject: meta-tpm: rename recipes-tpm to recipes-tpm1 a bit of re-org. Signed-off-by: Armin Kuster --- meta-tpm/recipes-tpm/hoth/libhoth_git.bb | 17 -- .../Convert-another-vdprintf-to-dprintf.patch | 26 --- .../files/Use-format-s-for-call-to-dprintf.patch | 33 --- .../libtpm/files/fix_signed_issue.patch | 48 ---- meta-tpm/recipes-tpm/libtpm/libtpm_0.9.5.bb | 16 -- ...ate-tpm-key-support-well-known-key-option.patch | 99 -------- .../files/0002-libtpm-support-env-TPM_SRK_PW.patch | 80 ------- ...-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch | 251 --------------------- ...-tpm-engine-change-variable-c-type-from-c.patch | 31 --- .../files/openssl11_build_fix.patch | 34 --- .../openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb | 65 ------ .../pcr-extend/files/fix_openssl11_build.patch | 45 ---- meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb | 26 --- meta-tpm/recipes-tpm/swtpm/files/fix_fcntl_h.patch | 31 --- .../swtpm/files/fix_lib_search_path.patch | 66 ------ .../recipes-tpm/swtpm/swtpm-wrappers-native.bb | 49 ---- meta-tpm/recipes-tpm/swtpm/swtpm_0.7.3.bb | 50 ---- .../tpm-quote-tools/tpm-quote-tools_1.0.4.bb | 22 -- .../tpm-tools/files/04-fix-FTBFS-clang.patch | 56 ----- .../tpm-tools/files/openssl1.1_fix.patch | 18 -- .../tpm-tools/files/tpm-tools-extendpcr.patch | 244 -------------------- .../recipes-tpm/tpm-tools/tpm-tools_1.3.9.2.bb | 35 --- ...-override-localstatedir-mandir-sysconfdir.patch | 68 ------ ...path-use-POSIX-getpwent-instead-of-getpwe.patch | 49 ---- meta-tpm/recipes-tpm/trousers/files/tcsd.service | 10 - .../recipes-tpm/trousers/files/trousers-udev.rules | 2 - .../recipes-tpm/trousers/files/trousers.init.sh | 67 ------ meta-tpm/recipes-tpm/trousers/trousers_git.bb | 120 ---------- meta-tpm/recipes-tpm1/hoth/libhoth_git.bb | 17 ++ .../Convert-another-vdprintf-to-dprintf.patch | 26 +++ .../files/Use-format-s-for-call-to-dprintf.patch | 33 +++ .../libtpm/files/fix_signed_issue.patch | 48 ++++ meta-tpm/recipes-tpm1/libtpm/libtpm_0.9.5.bb | 16 ++ ...ate-tpm-key-support-well-known-key-option.patch | 99 ++++++++ .../files/0002-libtpm-support-env-TPM_SRK_PW.patch | 80 +++++++ ...-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch | 251 +++++++++++++++++++++ ...-tpm-engine-change-variable-c-type-from-c.patch | 31 +++ .../files/openssl11_build_fix.patch | 34 +++ .../openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb | 65 ++++++ .../pcr-extend/files/fix_openssl11_build.patch | 45 ++++ meta-tpm/recipes-tpm1/pcr-extend/pcr-extend_git.bb | 26 +++ .../recipes-tpm1/swtpm/files/fix_fcntl_h.patch | 31 +++ .../swtpm/files/fix_lib_search_path.patch | 66 ++++++ .../recipes-tpm1/swtpm/swtpm-wrappers-native.bb | 49 ++++ meta-tpm/recipes-tpm1/swtpm/swtpm_0.7.3.bb | 50 ++++ .../tpm-quote-tools/tpm-quote-tools_1.0.4.bb | 22 ++ .../tpm-tools/files/04-fix-FTBFS-clang.patch | 56 +++++ .../tpm-tools/files/openssl1.1_fix.patch | 18 ++ .../tpm-tools/files/tpm-tools-extendpcr.patch | 244 ++++++++++++++++++++ .../recipes-tpm1/tpm-tools/tpm-tools_1.3.9.2.bb | 35 +++ ...-override-localstatedir-mandir-sysconfdir.patch | 68 ++++++ ...path-use-POSIX-getpwent-instead-of-getpwe.patch | 49 ++++ meta-tpm/recipes-tpm1/trousers/files/tcsd.service | 10 + .../trousers/files/trousers-udev.rules | 2 + .../recipes-tpm1/trousers/files/trousers.init.sh | 67 ++++++ meta-tpm/recipes-tpm1/trousers/trousers_git.bb | 120 ++++++++++ 56 files changed, 1658 insertions(+), 1658 deletions(-) delete mode 100644 meta-tpm/recipes-tpm/hoth/libhoth_git.bb delete mode 100644 meta-tpm/recipes-tpm/libtpm/files/Convert-another-vdprintf-to-dprintf.patch delete mode 100644 meta-tpm/recipes-tpm/libtpm/files/Use-format-s-for-call-to-dprintf.patch delete mode 100644 meta-tpm/recipes-tpm/libtpm/files/fix_signed_issue.patch delete mode 100644 meta-tpm/recipes-tpm/libtpm/libtpm_0.9.5.bb delete mode 100644 meta-tpm/recipes-tpm/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch delete mode 100644 meta-tpm/recipes-tpm/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch delete mode 100644 meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch delete mode 100644 meta-tpm/recipes-tpm/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch delete mode 100644 meta-tpm/recipes-tpm/openssl-tpm-engine/files/openssl11_build_fix.patch delete mode 100644 meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb delete mode 100644 meta-tpm/recipes-tpm/pcr-extend/files/fix_openssl11_build.patch delete mode 100644 meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb delete mode 100644 meta-tpm/recipes-tpm/swtpm/files/fix_fcntl_h.patch delete mode 100644 meta-tpm/recipes-tpm/swtpm/files/fix_lib_search_path.patch delete mode 100644 meta-tpm/recipes-tpm/swtpm/swtpm-wrappers-native.bb delete mode 100644 meta-tpm/recipes-tpm/swtpm/swtpm_0.7.3.bb delete mode 100644 meta-tpm/recipes-tpm/tpm-quote-tools/tpm-quote-tools_1.0.4.bb delete mode 100644 meta-tpm/recipes-tpm/tpm-tools/files/04-fix-FTBFS-clang.patch delete mode 100644 meta-tpm/recipes-tpm/tpm-tools/files/openssl1.1_fix.patch delete mode 100644 meta-tpm/recipes-tpm/tpm-tools/files/tpm-tools-extendpcr.patch delete mode 100644 meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.2.bb delete mode 100644 meta-tpm/recipes-tpm/trousers/files/0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch delete mode 100644 meta-tpm/recipes-tpm/trousers/files/get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch delete mode 100644 meta-tpm/recipes-tpm/trousers/files/tcsd.service delete mode 100644 meta-tpm/recipes-tpm/trousers/files/trousers-udev.rules delete mode 100644 meta-tpm/recipes-tpm/trousers/files/trousers.init.sh delete mode 100644 meta-tpm/recipes-tpm/trousers/trousers_git.bb create mode 100644 meta-tpm/recipes-tpm1/hoth/libhoth_git.bb create mode 100644 meta-tpm/recipes-tpm1/libtpm/files/Convert-another-vdprintf-to-dprintf.patch create mode 100644 meta-tpm/recipes-tpm1/libtpm/files/Use-format-s-for-call-to-dprintf.patch create mode 100644 meta-tpm/recipes-tpm1/libtpm/files/fix_signed_issue.patch create mode 100644 meta-tpm/recipes-tpm1/libtpm/libtpm_0.9.5.bb create mode 100644 meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch create mode 100644 meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch create mode 100644 meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch create mode 100644 meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch create mode 100644 meta-tpm/recipes-tpm1/openssl-tpm-engine/files/openssl11_build_fix.patch create mode 100644 meta-tpm/recipes-tpm1/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb create mode 100644 meta-tpm/recipes-tpm1/pcr-extend/files/fix_openssl11_build.patch create mode 100644 meta-tpm/recipes-tpm1/pcr-extend/pcr-extend_git.bb create mode 100644 meta-tpm/recipes-tpm1/swtpm/files/fix_fcntl_h.patch create mode 100644 meta-tpm/recipes-tpm1/swtpm/files/fix_lib_search_path.patch create mode 100644 meta-tpm/recipes-tpm1/swtpm/swtpm-wrappers-native.bb create mode 100644 meta-tpm/recipes-tpm1/swtpm/swtpm_0.7.3.bb create mode 100644 meta-tpm/recipes-tpm1/tpm-quote-tools/tpm-quote-tools_1.0.4.bb create mode 100644 meta-tpm/recipes-tpm1/tpm-tools/files/04-fix-FTBFS-clang.patch create mode 100644 meta-tpm/recipes-tpm1/tpm-tools/files/openssl1.1_fix.patch create mode 100644 meta-tpm/recipes-tpm1/tpm-tools/files/tpm-tools-extendpcr.patch create mode 100644 meta-tpm/recipes-tpm1/tpm-tools/tpm-tools_1.3.9.2.bb create mode 100644 meta-tpm/recipes-tpm1/trousers/files/0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch create mode 100644 meta-tpm/recipes-tpm1/trousers/files/get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch create mode 100644 meta-tpm/recipes-tpm1/trousers/files/tcsd.service create mode 100644 meta-tpm/recipes-tpm1/trousers/files/trousers-udev.rules create mode 100644 meta-tpm/recipes-tpm1/trousers/files/trousers.init.sh create mode 100644 meta-tpm/recipes-tpm1/trousers/trousers_git.bb diff --git a/meta-tpm/recipes-tpm/hoth/libhoth_git.bb b/meta-tpm/recipes-tpm/hoth/libhoth_git.bb deleted file mode 100644 index a3ebce7..0000000 --- a/meta-tpm/recipes-tpm/hoth/libhoth_git.bb +++ /dev/null @@ -1,17 +0,0 @@ -SUMMARY = "Google Hoth USB library" -DESCRIPTION = "Libraries and example programs for interacting with a \ - hoth-class root of trust." -HOMEPAGE = "https://github.com/google/libhoth" - -LICENSE = "Apache-2.0" -LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" - -SRC_URI = "git://github.com/google/libhoth;protocol=https;branch=main" -SRCREV = "1622e8a040d21dd564fdc1cb4df5eda01688c197" - -DEPENDS += "libusb1" - -S = "${WORKDIR}/git" - -inherit pkgconfig meson - diff --git a/meta-tpm/recipes-tpm/libtpm/files/Convert-another-vdprintf-to-dprintf.patch b/meta-tpm/recipes-tpm/libtpm/files/Convert-another-vdprintf-to-dprintf.patch deleted file mode 100644 index 9e1021a..0000000 --- a/meta-tpm/recipes-tpm/libtpm/files/Convert-another-vdprintf-to-dprintf.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 09e7dd42e5201d079bad70e9f7cc6033ce1c7cad Mon Sep 17 00:00:00 2001 -From: Stefan Berger -Date: Fri, 3 Feb 2017 10:58:22 -0500 -Subject: [PATCH] Convert another vdprintf to dprintf - -Signed-off-by: Stefan Berger -Upstream-Status: Backport -Signed-off-by: Armin Kuster - ---- - src/tpm_library.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -Index: git/src/tpm_library.c -=================================================================== ---- git.orig/src/tpm_library.c -+++ git/src/tpm_library.c -@@ -427,7 +427,7 @@ void TPMLIB_LogPrintfA(unsigned int inde - indent = sizeof(spaces) - 1; - memset(spaces, ' ', indent); - spaces[indent] = 0; -- vdprintf(debug_fd, spaces, NULL); -+ dprintf(debug_fd, "%s", spaces); - } - - va_start(args, format); diff --git a/meta-tpm/recipes-tpm/libtpm/files/Use-format-s-for-call-to-dprintf.patch b/meta-tpm/recipes-tpm/libtpm/files/Use-format-s-for-call-to-dprintf.patch deleted file mode 100644 index a71b5c1..0000000 --- a/meta-tpm/recipes-tpm/libtpm/files/Use-format-s-for-call-to-dprintf.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 6a9b4e5d70f770aa9ca31e3e6d3b1ae72c192070 Mon Sep 17 00:00:00 2001 -From: Stefan Berger -Date: Tue, 31 Jan 2017 20:10:51 -0500 -Subject: [PATCH] Use format '%s' for call to dprintf - -Fix the dprintf call to use a format parameter that otherwise causes -errors with gcc on certain platforms. - -Signed-off-by: Stefan Berger - -Upstream-Status: Backport -replaces local patch -Signed-off-by: Armin Kuster - ---- - src/tpm_library.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -Index: git/src/tpm_library.c -=================================================================== ---- git.orig/src/tpm_library.c -+++ git/src/tpm_library.c -@@ -405,8 +405,8 @@ int TPMLIB_LogPrintf(const char *format, - } - - if (debug_prefix) -- dprintf(debug_fd, debug_prefix); -- dprintf(debug_fd, buffer); -+ dprintf(debug_fd, "%s", debug_prefix); -+ dprintf(debug_fd, "%s", buffer); - - return i; - } diff --git a/meta-tpm/recipes-tpm/libtpm/files/fix_signed_issue.patch b/meta-tpm/recipes-tpm/libtpm/files/fix_signed_issue.patch deleted file mode 100644 index fc13aa5..0000000 --- a/meta-tpm/recipes-tpm/libtpm/files/fix_signed_issue.patch +++ /dev/null @@ -1,48 +0,0 @@ -Upstream-Status: Pending -Signed-off-by: Armin kuster - -Index: git/src/swtpm/ctrlchannel.c -=================================================================== ---- git.orig/src/swtpm/ctrlchannel.c -+++ git/src/swtpm/ctrlchannel.c -@@ -152,7 +152,8 @@ static int ctrlchannel_receive_state(ptm - uint32_t tpm_number = 0; - unsigned char *blob = NULL; - uint32_t blob_length = be32toh(pss->u.req.length); -- uint32_t remain = blob_length, offset = 0; -+ ssize_t remain = (ssize_t) blob_length; -+ uint32_t offset = 0; - TPM_RESULT res; - uint32_t flags = be32toh(pss->u.req.state_flags); - TPM_BOOL is_encrypted = (flags & PTM_STATE_FLAG_ENCRYPTED) != 0; -Index: git/src/swtpm_ioctl/tpm_ioctl.c -=================================================================== ---- git.orig/src/swtpm_ioctl/tpm_ioctl.c -+++ git/src/swtpm_ioctl/tpm_ioctl.c -@@ -303,7 +303,7 @@ static int do_save_state_blob(int fd, bo - numbytes = write(file_fd, pgs.u.resp.data, - devtoh32(is_chardev, pgs.u.resp.length)); - -- if (numbytes != devtoh32(is_chardev, pgs.u.resp.length)) { -+ if (numbytes != (ssize_t) devtoh32(is_chardev, pgs.u.resp.length)) { - fprintf(stderr, - "Could not write to file '%s': %s\n", - filename, strerror(errno)); -@@ -420,7 +420,7 @@ static int do_load_state_blob(int fd, bo - had_error = true; - break; - } -- pss.u.req.length = htodev32(is_chardev, numbytes); -+ pss.u.req.length = htodev32(is_chardev, (uint32_t) numbytes); - - /* the returnsize is zero on all intermediate packets */ - returnsize = ((size_t)numbytes < sizeof(pss.u.req.data)) -@@ -863,7 +863,7 @@ int main(int argc, char *argv[]) - return EXIT_FAILURE; - } - /* no tpm_result here */ -- printf("ptm capability is 0x%lx\n", (uint64_t)devtoh64(is_chardev, cap)); -+ printf("ptm capability is 0x%llx\n", (uint64_t)devtoh64(is_chardev, cap)); - - } else if (!strcmp(command, "-i")) { - init.u.req.init_flags = htodev32(is_chardev, PTM_INIT_FLAG_DELETE_VOLATILE); diff --git a/meta-tpm/recipes-tpm/libtpm/libtpm_0.9.5.bb b/meta-tpm/recipes-tpm/libtpm/libtpm_0.9.5.bb deleted file mode 100644 index cf80064..0000000 --- a/meta-tpm/recipes-tpm/libtpm/libtpm_0.9.5.bb +++ /dev/null @@ -1,16 +0,0 @@ -SUMMARY = "LIBPM - Software TPM Library" -LICENSE = "BSD-3-Clause" -LIC_FILES_CHKSUM = "file://LICENSE;md5=e73f0786a936da3814896df06ad225a9" - -SRCREV = "df1c3e98d697f3c1f09262d2ba161a7db784d6cc" -SRC_URI = "git://github.com/stefanberger/libtpms.git;branch=stable-0.9;protocol=https" - -PE = "1" - -S = "${WORKDIR}/git" -inherit autotools-brokensep pkgconfig perlnative - -PACKAGECONFIG ?= "openssl" -PACKAGECONFIG[openssl] = "--with-openssl, --without-openssl, openssl" - -BBCLASSEXTEND = "native" diff --git a/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch b/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch deleted file mode 100644 index bed8b92..0000000 --- a/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch +++ /dev/null @@ -1,99 +0,0 @@ -commit 16dac0cb7b73b8a7088300e45b98ac20819b03ed -Author: Junxian.Xiao -Date: Wed Jun 19 18:57:13 2013 +0800 - -support well-known password in openssl-tpm-engine. - -Add "-z" option to select well known password in create_tpm_key tool. - -Signed-off-by: Junxian.Xiao - -Index: git/src/create_tpm_key.c -=================================================================== ---- git.orig/src/create_tpm_key.c -+++ git/src/create_tpm_key.c -@@ -48,6 +48,8 @@ - - #include "ssl_compat.h" - -+#define TPM_WELL_KNOWN_KEY_LEN 20 /*well know key length is 20 bytes zero*/ -+ - #define print_error(a,b) \ - fprintf(stderr, "%s:%d %s result: 0x%x (%s)\n", __FILE__, __LINE__, \ - a, b, Trspi_Error_String(b)) -@@ -72,6 +74,7 @@ usage(char *argv0) - "\t\t-e|--enc-scheme encryption scheme to use [PKCSV15] or OAEP\n" - "\t\t-q|--sig-scheme signature scheme to use [DER] or SHA1\n" - "\t\t-s|--key-size key size in bits [2048]\n" -+ "\t\t-z|--zerokey use well known 20 bytes zero as SRK password.\n" - "\t\t-a|--auth require a password for the key [NO]\n" - "\t\t-p|--popup use TSS GUI popup dialogs to get the password " - "for the\n\t\t\t\t key [NO] (implies --auth)\n" -@@ -154,6 +157,7 @@ int main(int argc, char **argv) - int asn1_len; - char *filename, c, *openssl_key = NULL; - int option_index, auth = 0, popup = 0, wrap = 0; -+ int wellknownkey = 0; - UINT32 enc_scheme = TSS_ES_RSAESPKCSV15; - UINT32 sig_scheme = TSS_SS_RSASSAPKCS1V15_DER; - UINT32 key_size = 2048; -@@ -161,12 +165,15 @@ int main(int argc, char **argv) - - while (1) { - option_index = 0; -- c = getopt_long(argc, argv, "pe:q:s:ahw:", -+ c = getopt_long(argc, argv, "pe:q:s:zahw:", - long_options, &option_index); - if (c == -1) - break; - - switch (c) { -+ case 'z': -+ wellknownkey = 1; -+ break; - case 'a': - initFlags |= TSS_KEY_AUTHORIZATION; - auth = 1; -@@ -300,6 +307,8 @@ int main(int argc, char **argv) - - if (srk_authusage) { - char *authdata = calloc(1, 128); -+ TSS_FLAG secretMode = TSS_SECRET_MODE_PLAIN; -+ int authlen = 0; - - if (!authdata) { - fprintf(stderr, "malloc failed.\n"); -@@ -316,17 +325,26 @@ int main(int argc, char **argv) - exit(result); - } - -- if (EVP_read_pw_string(authdata, 128, "SRK Password: ", 0)) { -- Tspi_Context_CloseObject(hContext, hKey); -- Tspi_Context_Close(hContext); -- free(authdata); -- exit(result); -+ if (wellknownkey) { -+ memset(authdata, 0, TPM_WELL_KNOWN_KEY_LEN); -+ secretMode = TSS_SECRET_MODE_SHA1; -+ authlen = TPM_WELL_KNOWN_KEY_LEN; -+ } -+ else { -+ if (EVP_read_pw_string(authdata, 128, "SRK Password: ", 0)) { -+ Tspi_Context_CloseObject(hContext, hKey); -+ Tspi_Context_Close(hContext); -+ free(authdata); -+ exit(result); -+ } -+ secretMode = TSS_SECRET_MODE_PLAIN; -+ authlen = strlen(authdata); - } - - //Set Secret - if ((result = Tspi_Policy_SetSecret(srkUsagePolicy, -- TSS_SECRET_MODE_PLAIN, -- strlen(authdata), -+ secretMode, -+ authlen, - (BYTE *)authdata))) { - print_error("Tspi_Policy_SetSecret", result); - free(authdata); diff --git a/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch b/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch deleted file mode 100644 index 2caaaf0..0000000 --- a/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch +++ /dev/null @@ -1,80 +0,0 @@ -commit 16dac0cb7b73b8a7088300e45b98ac20819b03ed -Author: Junxian.Xiao -Date: Wed Jun 19 18:57:13 2013 +0800 - -support reading SRK password from env TPM_SRK_PW - -Add "env TPM_SRK_PW=xxxx" to set password for libtpm.so. Specially, -use "env TPM_SRK_PW=#WELLKNOWN#" to set well known password. - -Signed-off-by: Junxian.Xiao - -Index: git/src/e_tpm.c -=================================================================== ---- git.orig/src/e_tpm.c -+++ git/src/e_tpm.c -@@ -38,6 +38,8 @@ - #include "e_tpm.h" - #include "ssl_compat.h" - -+#define TPM_WELL_KNOWN_KEY_LEN 20 /*well know key length is 20 bytes zero*/ -+ - //#define DLOPEN_TSPI - - #ifndef OPENSSL_NO_HW -@@ -262,6 +264,10 @@ int tpm_load_srk(UI_METHOD *ui, void *cb - TSS_RESULT result; - UINT32 authusage; - BYTE *auth; -+ char *srkPasswd = NULL; -+ TSS_FLAG secretMode = secret_mode; -+ int authlen = 0; -+ - - if (hSRK != NULL_HKEY) { - DBGFN("SRK is already loaded."); -@@ -313,18 +319,36 @@ int tpm_load_srk(UI_METHOD *ui, void *cb - return 0; - } - -- if (!tpm_engine_get_auth(ui, (char *)auth, 128, "SRK authorization: ", -- cb_data)) { -- Tspi_Context_CloseObject(hContext, hSRK); -- free(auth); -- TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED); -- return 0; -+ srkPasswd = getenv("TPM_SRK_PW"); -+ if (NULL != srkPasswd) { -+ if (0 == strcmp(srkPasswd, "#WELLKNOWN#")) { -+ memset(auth, 0, TPM_WELL_KNOWN_KEY_LEN); -+ secretMode = TSS_SECRET_MODE_SHA1; -+ authlen = TPM_WELL_KNOWN_KEY_LEN; -+ } else { -+ int authbuflen = 128; -+ memset(auth, 0, authbuflen); -+ strncpy(auth, srkPasswd, authbuflen-1); -+ secretMode = TSS_SECRET_MODE_PLAIN; -+ authlen = strlen(auth); -+ } -+ } -+ else { -+ if (!tpm_engine_get_auth(ui, (char *)auth, 128, -+ "SRK authorization: ", cb_data)) { -+ Tspi_Context_CloseObject(hContext, hSRK); -+ free(auth); -+ TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED); -+ return 0; -+ } -+ secretMode = secret_mode; -+ authlen = strlen(auth); - } - - /* secret_mode is a global that may be set by engine ctrl - * commands. By default, its set to TSS_SECRET_MODE_PLAIN */ -- if ((result = Tspi_Policy_SetSecret(hSRKPolicy, secret_mode, -- strlen((char *)auth), auth))) { -+ if ((result = Tspi_Policy_SetSecret(hSRKPolicy, secretMode, -+ authlen, auth))) { - Tspi_Context_CloseObject(hContext, hSRK); - free(auth); - TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED); diff --git a/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch b/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch deleted file mode 100644 index cc8772d..0000000 --- a/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch +++ /dev/null @@ -1,251 +0,0 @@ -From eb28ad92a2722fd30f8114840cf2b1ade26b80ee Mon Sep 17 00:00:00 2001 -From: Limeng -Date: Fri, 23 Jun 2017 11:39:04 +0800 -Subject: [PATCH] tpm:openssl-tpm-engine:parse an encrypted tpm SRK password - from env - -Before, we support reading SRK password from env TPM_SRK_PW, -but it is a plain password and not secure. -So, we improve it and support to get an encrypted (AES algorithm) -SRK password from env, and then parse it. The default decrypting -AES password and salt is set in bb file. -When we initialize TPM, and set a SRK pw, and then we need to -encrypt it with the same AES password and salt by AES algorithm. -At last, we set a env as below: -export TPM_SRK_ENC_PW=xxxxxxxx -"xxxxxxxx" is the encrypted SRK password for libtpm.so. - -Signed-off-by: Meng Li ---- - e_tpm.c | 157 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++- - e_tpm.h | 4 ++ - e_tpm_err.c | 4 ++ - 3 files changed, 164 insertions(+), 1 deletion(-) - -Index: git/src/e_tpm.c -=================================================================== ---- git.orig/src/e_tpm.c -+++ git/src/e_tpm.c -@@ -259,6 +259,118 @@ void ENGINE_load_tpm(void) - ERR_clear_error(); - } - -+static int tpm_decode_base64(unsigned char *indata, -+ int in_len, -+ unsigned char *outdata, -+ int *out_len) -+{ -+ int total_len, len, ret; -+ EVP_ENCODE_CTX dctx; -+ -+ EVP_DecodeInit(&dctx); -+ -+ total_len = 0; -+ ret = EVP_DecodeUpdate(&dctx, outdata, &len, indata, in_len); -+ if (ret < 0) { -+ TSSerr(TPM_F_TPM_DECODE_BASE64, TPM_R_DECODE_BASE64_FAILED); -+ return 1; -+ } -+ -+ total_len += len; -+ ret = EVP_DecodeFinal(&dctx, outdata, &len); -+ if (ret < 0) { -+ TSSerr(TPM_F_TPM_DECODE_BASE64, TPM_R_DECODE_BASE64_FAILED); -+ return 1; -+ } -+ total_len += len; -+ -+ *out_len = total_len; -+ -+ return 0; -+} -+ -+static int tpm_decrypt_srk_pw(unsigned char *indata, int in_len, -+ unsigned char *outdata, -+ int *out_len) -+{ -+ int dec_data_len, dec_data_lenfinal; -+ unsigned char dec_data[256]; -+ unsigned char *aes_pw; -+ unsigned char aes_salt[PKCS5_SALT_LEN]; -+ unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH]; -+ const EVP_CIPHER *cipher = NULL; -+ const EVP_MD *dgst = NULL; -+ EVP_CIPHER_CTX *ctx = NULL; -+ -+ if (sizeof(SRK_DEC_SALT) - 1 > PKCS5_SALT_LEN) { -+ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED); -+ return 1; -+ } -+ -+ aes_pw = malloc(sizeof(SRK_DEC_PW) - 1); -+ if (aes_pw == NULL) { -+ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED); -+ return 1; -+ } -+ -+ memset(aes_salt, 0x00, sizeof(aes_salt)); -+ memcpy(aes_pw, SRK_DEC_PW, sizeof(SRK_DEC_PW) - 1); -+ memcpy(aes_salt, SRK_DEC_SALT, sizeof(SRK_DEC_SALT) - 1); -+ -+ cipher = EVP_get_cipherbyname("aes-128-cbc"); -+ if (cipher == NULL) { -+ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED); -+ free(aes_pw); -+ return 1; -+ } -+ dgst = EVP_sha256(); -+ -+ EVP_BytesToKey(cipher, dgst, aes_salt, (unsigned char *)aes_pw, sizeof(SRK_DEC_PW) - 1, 1, key, iv); -+ -+ ctx = EVP_CIPHER_CTX_new(); -+ /* Don't set key or IV right away; we want to check lengths */ -+ if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, 0)) { -+ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED); -+ free(aes_pw); -+ return 1; -+ } -+ -+ OPENSSL_assert(EVP_CIPHER_CTX_key_length(ctx) == 16); -+ OPENSSL_assert(EVP_CIPHER_CTX_iv_length(ctx) == 16); -+ -+ if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, 0)) { -+ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED); -+ free(aes_pw); -+ return 1; -+ } -+ -+ if (!EVP_CipherUpdate(ctx, dec_data, &dec_data_len, indata, in_len)) { -+ /* Error */ -+ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED); -+ free(aes_pw); -+ EVP_CIPHER_CTX_free(ctx); -+ return 1; -+ } -+ -+ if (!EVP_CipherFinal_ex(ctx, dec_data + dec_data_len, &dec_data_lenfinal)) { -+ /* Error */ -+ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED); -+ free(aes_pw); -+ EVP_CIPHER_CTX_free(ctx); -+ return 1; -+ } -+ -+ dec_data_len = dec_data_len + dec_data_lenfinal; -+ -+ memcpy(outdata, dec_data, dec_data_len); -+ *out_len = dec_data_len; -+ -+ free(aes_pw); -+ EVP_CIPHER_CTX_free(ctx); -+ -+ return 0; -+} -+ - int tpm_load_srk(UI_METHOD *ui, void *cb_data) - { - TSS_RESULT result; -@@ -319,8 +431,50 @@ int tpm_load_srk(UI_METHOD *ui, void *cb - return 0; - } - -- srkPasswd = getenv("TPM_SRK_PW"); -+ srkPasswd = getenv("TPM_SRK_ENC_PW"); - if (NULL != srkPasswd) { -+ int in_len = strlen(srkPasswd); -+ int out_len; -+ unsigned char *out_buf; -+ -+ if (!in_len || in_len % 4) { -+ Tspi_Context_CloseObject(hContext, hSRK); -+ free(auth); -+ TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED); -+ return 0; -+ } -+ -+ out_len = in_len * 3 / 4; -+ out_buf = malloc(out_len); -+ if (NULL == out_buf) { -+ Tspi_Context_CloseObject(hContext, hSRK); -+ free(auth); -+ TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED); -+ return 0; -+ } -+ -+ if (tpm_decode_base64(srkPasswd, strlen(srkPasswd), -+ out_buf, &out_len)) { -+ Tspi_Context_CloseObject(hContext, hSRK); -+ free(auth); -+ free(out_buf); -+ TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED); -+ return 0; -+ } -+ -+ if (tpm_decrypt_srk_pw(out_buf, out_len, -+ auth, &authlen)) { -+ Tspi_Context_CloseObject(hContext, hSRK); -+ free(auth); -+ free(out_buf); -+ TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED); -+ return 0; -+ } -+ secretMode = TSS_SECRET_MODE_PLAIN; -+ free(out_buf); -+ } -+#ifdef TPM_SRK_PLAIN_PW -+ else if (NULL != (srkPasswd = getenv("TPM_SRK_PW")) { - if (0 == strcmp(srkPasswd, "#WELLKNOWN#")) { - memset(auth, 0, TPM_WELL_KNOWN_KEY_LEN); - secretMode = TSS_SECRET_MODE_SHA1; -@@ -333,6 +487,7 @@ int tpm_load_srk(UI_METHOD *ui, void *cb - authlen = strlen(auth); - } - } -+#endif - else { - if (!tpm_engine_get_auth(ui, (char *)auth, 128, - "SRK authorization: ", cb_data)) { -Index: git/src/e_tpm.h -=================================================================== ---- git.orig/src/e_tpm.h -+++ git/src/e_tpm.h -@@ -66,6 +66,8 @@ void ERR_TSS_error(int function, int rea - #define TPM_F_TPM_FILL_RSA_OBJECT 116 - #define TPM_F_TPM_ENGINE_GET_AUTH 117 - #define TPM_F_TPM_CREATE_SRK_POLICY 118 -+#define TPM_F_TPM_DECODE_BASE64 119 -+#define TPM_F_TPM_DECRYPT_SRK_PW 120 - - /* Reason codes. */ - #define TPM_R_ALREADY_LOADED 100 -@@ -96,6 +98,8 @@ void ERR_TSS_error(int function, int rea - #define TPM_R_ID_INVALID 125 - #define TPM_R_UI_METHOD_FAILED 126 - #define TPM_R_UNKNOWN_SECRET_MODE 127 -+#define TPM_R_DECODE_BASE64_FAILED 128 -+#define TPM_R_DECRYPT_SRK_PW_FAILED 129 - - /* structure pointed to by the RSA object's app_data pointer */ - struct rsa_app_data -Index: git/src/e_tpm_err.c -=================================================================== ---- git.orig/src/e_tpm_err.c -+++ git/src/e_tpm_err.c -@@ -234,6 +234,8 @@ static ERR_STRING_DATA TPM_str_functs[] - {ERR_PACK(0, TPM_F_TPM_BIND_FN, 0), "TPM_BIND_FN"}, - {ERR_PACK(0, TPM_F_TPM_FILL_RSA_OBJECT, 0), "TPM_FILL_RSA_OBJECT"}, - {ERR_PACK(0, TPM_F_TPM_ENGINE_GET_AUTH, 0), "TPM_ENGINE_GET_AUTH"}, -+ {ERR_PACK(0, TPM_F_TPM_DECODE_BASE64, 0), "TPM_DECODE_BASE64"}, -+ {ERR_PACK(0, TPM_F_TPM_DECRYPT_SRK_PW, 0), "TPM_DECRYPT_SRK_PW"}, - {0, NULL} - }; - -@@ -264,6 +266,8 @@ static ERR_STRING_DATA TPM_str_reasons[] - {TPM_R_FILE_READ_FAILED, "failed reading the key file"}, - {TPM_R_ID_INVALID, "engine id doesn't match"}, - {TPM_R_UI_METHOD_FAILED, "ui function failed"}, -+ {TPM_R_DECODE_BASE64_FAILED, "decode base64 failed"}, -+ {TPM_R_DECRYPT_SRK_PW_FAILED, "decrypt srk password failed"}, - {0, NULL} - }; - diff --git a/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch b/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch deleted file mode 100644 index 535472a..0000000 --- a/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch +++ /dev/null @@ -1,31 +0,0 @@ -From fb44e2814fd819c086f9a4c925427f89c0e8cec6 Mon Sep 17 00:00:00 2001 -From: Limeng -Date: Fri, 21 Jul 2017 16:32:02 +0800 -Subject: [PATCH] tpm:openssl-tpm-engine: change variable c type from char - into int - -refer to getopt_long() function definition, its return value type is -int. So, change variable c type from char into int. -On arm platform, when getopt_long() calling fails, if we define c as -char type, its value will be 255, not -1. This will cause code enter -wrong case. - -Signed-off-by: Meng Li ---- - create_tpm_key.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -Index: git/src/create_tpm_key.c -=================================================================== ---- git.orig/src/create_tpm_key.c -+++ git/src/create_tpm_key.c -@@ -155,7 +155,8 @@ int main(int argc, char **argv) - ASN1_OCTET_STRING *blob_str; - unsigned char *blob_asn1 = NULL; - int asn1_len; -- char *filename, c, *openssl_key = NULL; -+ char *filename, *openssl_key = NULL; -+ int c; - int option_index, auth = 0, popup = 0, wrap = 0; - int wellknownkey = 0; - UINT32 enc_scheme = TSS_ES_RSAESPKCSV15; diff --git a/meta-tpm/recipes-tpm/openssl-tpm-engine/files/openssl11_build_fix.patch b/meta-tpm/recipes-tpm/openssl-tpm-engine/files/openssl11_build_fix.patch deleted file mode 100644 index 2f8eb81..0000000 --- a/meta-tpm/recipes-tpm/openssl-tpm-engine/files/openssl11_build_fix.patch +++ /dev/null @@ -1,34 +0,0 @@ -Fix compiling for openssl 1.1 - -Upstream-Status: Pending -Signed-off-by: Armin Kuster - -Index: git/src/e_tpm.c -=================================================================== ---- git.orig/src/e_tpm.c -+++ git/src/e_tpm.c -@@ -265,19 +265,20 @@ static int tpm_decode_base64(unsigned ch - int *out_len) - { - int total_len, len, ret; -- EVP_ENCODE_CTX dctx; -+ EVP_ENCODE_CTX *dctx; - -- EVP_DecodeInit(&dctx); -+ dctx = EVP_ENCODE_CTX_new(); -+ EVP_DecodeInit(dctx); - - total_len = 0; -- ret = EVP_DecodeUpdate(&dctx, outdata, &len, indata, in_len); -+ ret = EVP_DecodeUpdate(dctx, outdata, &len, indata, in_len); - if (ret < 0) { - TSSerr(TPM_F_TPM_DECODE_BASE64, TPM_R_DECODE_BASE64_FAILED); - return 1; - } - - total_len += len; -- ret = EVP_DecodeFinal(&dctx, outdata, &len); -+ ret = EVP_DecodeFinal(dctx, outdata, &len); - if (ret < 0) { - TSSerr(TPM_F_TPM_DECODE_BASE64, TPM_R_DECODE_BASE64_FAILED); - return 1; diff --git a/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb b/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb deleted file mode 100644 index e3e643e..0000000 --- a/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb +++ /dev/null @@ -1,65 +0,0 @@ -DESCRIPTION = "OpenSSL secure engine based on TPM hardware" -HOMEPAGE = "https://github.com/mgerstner/openssl_tpm_engine" -SECTION = "security/tpm" - -LICENSE = "OpenSSL" -LIC_FILES_CHKSUM = "file://LICENSE;md5=11f0ee3af475c85b907426e285c9bb52" - -DEPENDS += "openssl trousers" - -SRC_URI = "\ - git://github.com/mgerstner/openssl_tpm_engine.git;branch=master;protocol=https \ - file://0001-create-tpm-key-support-well-known-key-option.patch \ - file://0002-libtpm-support-env-TPM_SRK_PW.patch \ - file://0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch \ - file://0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch \ - file://openssl11_build_fix.patch \ -" -SRCREV = "b28de5065e6eb9aa5d5afe2276904f7624c2cbaf" - -S = "${WORKDIR}/git" - -inherit autotools-brokensep pkgconfig - -# The definitions below are used to decrypt the srk password. -# It is allowed to define the values in 3 forms: string, hex number and -# the hybrid, e.g, -# srk_dec_pw = "incendia" -# srk_dec_pw = "\x69\x6e\x63\x65\x6e\x64\x69\x61" -# srk_dec_pw = "\x1""nc""\x3""nd""\x1""a" -# -# Due to the limit of escape character, the hybrid must be written in -# above style. The actual values defined below in C code style are: -# srk_dec_pw[] = { 0x01, 'n', 'c', 0x03, 'n', 'd', 0x01, 'a' }; -# srk_dec_salt[] = { 'r', 0x00, 0x00, 't' }; -srk_dec_pw ?= "\\"\\\x1\\"\\"nc\\"\\"\\\x3\\"\\"nd\\"\\"\\\x1\\"\\"a\\"" -srk_dec_salt ?= "\\"r\\"\\"\\\x00\\\x00\\"\\"t\\"" - -CFLAGS:append = " -DSRK_DEC_PW=${srk_dec_pw} -DSRK_DEC_SALT=${srk_dec_salt}" - -# Uncomment below line if using the plain srk password for development -#CFLAGS:append = " -DTPM_SRK_PLAIN_PW" - -do_configure:prepend() { - cd ${B} - cp LICENSE COPYING - touch NEWS AUTHORS ChangeLog README -} - -FILES:${PN}-staticdev += "${libdir}/ssl/engines-3/tpm.la" -FILES:${PN}-dbg += "\ - ${libdir}/ssl/engines-3/.debug \ - ${libdir}/engines-3/.debug \ - ${prefix}/local/ssl/lib/engines-3/.debug \ -" -FILES:${PN} += "\ - ${libdir}/ssl/engines-3/tpm.so* \ - ${libdir}/engines-3/tpm.so* \ - ${libdir}/libtpm.so* \ - ${prefix}/local/ssl/lib/engines-3/tpm.so* \ -" - -RDEPENDS:${PN} += "libcrypto libtspi" - -INSANE_SKIP:${PN} = "libdir" -INSANE_SKIP:${PN}-dbg = "libdir" diff --git a/meta-tpm/recipes-tpm/pcr-extend/files/fix_openssl11_build.patch b/meta-tpm/recipes-tpm/pcr-extend/files/fix_openssl11_build.patch deleted file mode 100644 index cf2d437..0000000 --- a/meta-tpm/recipes-tpm/pcr-extend/files/fix_openssl11_build.patch +++ /dev/null @@ -1,45 +0,0 @@ -Enable building with openssl 1.1 - -Upstream-Status: Pending -Signed-off-by: Armin Kuster - -Index: git/src/pcr-extend.c -=================================================================== ---- git.orig/src/pcr-extend.c -+++ git/src/pcr-extend.c -@@ -118,7 +118,7 @@ dump_buf (FILE *file, char *buf, size_t - static unsigned char* - sha1_file (FILE *file, unsigned int *hash_len) - { -- EVP_MD_CTX ctx = { 0 }; -+ EVP_MD_CTX *ctx = EVP_MD_CTX_new(); - unsigned char *buf = NULL, *hash = NULL; - size_t num_read = 0; - -@@ -127,7 +127,7 @@ sha1_file (FILE *file, unsigned int *has - perror ("malloc:\n"); - goto sha1_fail; - } -- if (EVP_DigestInit (&ctx, EVP_sha1 ()) == 0) { -+ if (EVP_DigestInit (ctx, EVP_sha1 ()) == 0) { - ERR_print_errors_fp (stderr); - goto sha1_fail; - } -@@ -135,7 +135,7 @@ sha1_file (FILE *file, unsigned int *has - num_read = fread (buf, 1, BUF_SIZE, file); - if (num_read <= 0) - break; -- if (EVP_DigestUpdate (&ctx, buf, num_read) == 0) { -+ if (EVP_DigestUpdate (ctx, buf, num_read) == 0) { - ERR_print_errors_fp (stderr); - goto sha1_fail; - } -@@ -149,7 +149,7 @@ sha1_file (FILE *file, unsigned int *has - perror ("calloc of hash buffer:\n"); - goto sha1_fail; - } -- if (EVP_DigestFinal (&ctx, hash, hash_len) == 0) { -+ if (EVP_DigestFinal (ctx, hash, hash_len) == 0) { - ERR_print_errors_fp (stderr); - goto sha1_fail; - } diff --git a/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb b/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb deleted file mode 100644 index 45da416..0000000 --- a/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb +++ /dev/null @@ -1,26 +0,0 @@ -SUMMARY = "Command line utility to extend hash of arbitrary data into a TPMs PCR." -HOMEPAGE = "https://github.com/flihp/pcr-extend" -SECTION = "security/tpm" -LICENSE = "GPL-2.0-only" -LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" - -DEPENDS = "libtspi" - -PV = "0.1+git${SRCPV}" -SRCREV = "c02ad8f628b3d99f6d4c087b402fe31a40ee6316" - -SRC_URI = "git://github.com/flihp/pcr-extend.git;branch=master;protocol=https \ - file://fix_openssl11_build.patch " - -inherit autotools - -S = "${WORKDIR}/git" - -do_compile() { - oe_runmake -C ${S}/src -} - -do_install() { - install -d ${D}${bindir} - oe_runmake -C ${S}/src DESTDIR="${D}" install -} diff --git a/meta-tpm/recipes-tpm/swtpm/files/fix_fcntl_h.patch b/meta-tpm/recipes-tpm/swtpm/files/fix_fcntl_h.patch deleted file mode 100644 index 3d16431..0000000 --- a/meta-tpm/recipes-tpm/swtpm/files/fix_fcntl_h.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 8750a6c3f0b4d9e7e45b4079150d29eb44774e9c Mon Sep 17 00:00:00 2001 -From: Armin Kuster -Date: Tue, 14 Mar 2017 22:59:36 -0700 -Subject: [PATCH 2/4] logging: Fix musl build issue with fcntl - - error: #warning redirecting incorrect #include to [-Werror=cpp] - #warning redirecting incorrect #include to - ---- - src/swtpm/logging.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/swtpm/logging.c b/src/swtpm/logging.c -index f16cab6..7da8606 100644 ---- a/src/swtpm/logging.c -+++ b/src/swtpm/logging.c -@@ -45,7 +45,7 @@ - #include - #include - #include --#include -+#include - #include - #include - #include --- -2.11.0 - diff --git a/meta-tpm/recipes-tpm/swtpm/files/fix_lib_search_path.patch b/meta-tpm/recipes-tpm/swtpm/files/fix_lib_search_path.patch deleted file mode 100644 index 60958f7..0000000 --- a/meta-tpm/recipes-tpm/swtpm/files/fix_lib_search_path.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 672bb4ee625da3141ba6cecb0601c7563de4c483 Mon Sep 17 00:00:00 2001 -From: Armin Kuster -Date: Thu, 13 Oct 2016 02:03:56 -0700 -Subject: [PATCH 1/4] swtpm: add new package - -Upstream-Status: Inappropriate [OE config] - -Signed-off-by: Armin Kuster - -Rebased to current tip. - -Signed-off-by: Patrick Ohly - ---- - configure.ac | 34 ++++++++++------------------------ - 1 file changed, 10 insertions(+), 24 deletions(-) - -diff --git a/configure.ac b/configure.ac -index abf5be1..85ed6ac 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -395,31 +395,17 @@ CFLAGS="$CFLAGS -Wformat -Wformat-security" - dnl We have to make sure libtpms is using the same crypto library - dnl to avoid problems - AC_MSG_CHECKING([the crypto library libtpms is using]) --dirs=$($CC $CFLAGS -Xlinker --verbose 2>/dev/null | \ -- sed -n '/SEARCH_DIR/p' | \ -- sed 's/SEARCH_DIR("\(@<:@^"@:>@*\)"); */\1 /g' | \ -- sed 's|=/|/|g') --for dir in $dirs $LIBRARY_PATH; do -- if test -r $dir/libtpms.so; then -- if test -n "`ldd $dir/libtpms.so | grep libcrypto.so`"; then -- libtpms_cryptolib="openssl" -- break -- fi -- if test -n "`ldd $dir/libtpms.so | grep libnss3.so`"; then -- libtpms_cryptolib="freebl" -- break -- fi -+dir="$SEARCH_DIR" -+if test -r $dir/libtpms.so; then -+ if test -n "`ldd $dir/libtpms.so | grep libcrypto.so`"; then -+ libtpms_cryptolib="openssl" -+ break - fi -- case $host_os in -- cygwin|openbsd*) -- if test -r $dir/libtpms.a; then -- if test -n "$(nm $dir/libtpms.a | grep "U AES_encrypt")"; then -- libtpms_cryptolib="openssl" -- fi -- fi -- ;; -- esac --done -+ if test -n "`ldd $dir/libtpms.so | grep libnss3.so`"; then -+ libtpms_cryptolib="freebl" -+ break -+ fi -+fi - - if test -z "$libtpms_cryptolib"; then - AC_MSG_ERROR([Could not determine libtpms crypto library.]) --- -2.11.0 - diff --git a/meta-tpm/recipes-tpm/swtpm/swtpm-wrappers-native.bb b/meta-tpm/recipes-tpm/swtpm/swtpm-wrappers-native.bb deleted file mode 100644 index bb93374..0000000 --- a/meta-tpm/recipes-tpm/swtpm/swtpm-wrappers-native.bb +++ /dev/null @@ -1,49 +0,0 @@ -SUMMARY = "SWTPM - OpenEmbedded wrapper scripts for native swtpm tools" -LICENSE = "MIT" -DEPENDS = "swtpm-native" - -inherit native - -# The whole point of the recipe is to make files available -# for use after the build is done, so don't clean up... -RM_WORK_EXCLUDE += "${PN}" - -do_create_wrapper () { - # Wrap (almost) all swtpm binaries. Some get special wrappers and some - # are not needed. - for i in `find ${bindir} ${base_bindir} ${sbindir} ${base_sbindir} -name 'swtpm*' -perm /+x -type f`; do - exe=`basename $i` - case $exe in - swtpm_setup) - cat >${WORKDIR}/swtpm_setup_oe.sh <${WORKDIR}/${exe}_oe.sh < -Bug-Debian: http://bugs.debian.org/753063 - -Upstream-Status: Backport -tpm-tools_1.3.9.1-0.1.debian.tar - -Signed-off-by: Armin kuster - ---- tpm-tools-1.3.8/src/tpm_mgmt/tpm_present.c 2012-05-17 21:49:58.000000000 +0400 -+++ tpm-tools-1.3.8-my/src/tpm_mgmt/tpm_present.c 2014-06-29 01:01:11.502081468 +0400 -@@ -165,7 +165,7 @@ - - TSS_BOOL bCmd, bHwd; - BOOL bRc; -- TSS_HPOLICY hTpmPolicy; -+ TSS_HPOLICY hTpmPolicy = 0; - char *pwd = NULL; - int pswd_len; - char rsp[5]; ---- tpm-tools-1.3.8/src/tpm_mgmt/tpm_takeownership.c 2010-09-30 21:28:09.000000000 +0400 -+++ tpm-tools-1.3.8-my/src/tpm_mgmt/tpm_takeownership.c 2014-06-29 01:01:51.069373655 +0400 -@@ -67,7 +67,7 @@ - char *szSrkPasswd = NULL; - int tpm_len, srk_len; - TSS_HTPM hTpm; -- TSS_HKEY hSrk; -+ TSS_HKEY hSrk = 0; - TSS_FLAG fSrkAttrs; - TSS_HPOLICY hTpmPolicy, hSrkPolicy; - int iRc = -1; ---- tpm-tools-1.3.8/src/tpm_mgmt/tpm_nvwrite.c 2011-08-17 16:20:35.000000000 +0400 -+++ tpm-tools-1.3.8-my/src/tpm_mgmt/tpm_nvwrite.c 2014-06-29 01:02:45.836397172 +0400 -@@ -220,7 +220,7 @@ - close(fd); - fd = -1; - } else if (fillvalue >= 0) { -- if (length < 0) { -+ if (length == 0) { - logError(_("Requiring size parameter.\n")); - return -1; - } ---- tpm-tools-1.3.8/src/data_mgmt/data_protect.c 2012-05-17 21:49:58.000000000 +0400 -+++ tpm-tools-1.3.8-my/src/data_mgmt/data_protect.c 2014-06-29 01:03:49.863254459 +0400 -@@ -432,8 +432,8 @@ - - char *pszPin = NULL; - -- CK_RV rv; -- CK_SESSION_HANDLE hSession; -+ CK_RV rv = 0; -+ CK_SESSION_HANDLE hSession = 0; - CK_OBJECT_HANDLE hObject; - CK_MECHANISM tMechanism = { CKM_AES_ECB, NULL, 0 }; - diff --git a/meta-tpm/recipes-tpm/tpm-tools/files/openssl1.1_fix.patch b/meta-tpm/recipes-tpm/tpm-tools/files/openssl1.1_fix.patch deleted file mode 100644 index 9ae3f72..0000000 --- a/meta-tpm/recipes-tpm/tpm-tools/files/openssl1.1_fix.patch +++ /dev/null @@ -1,18 +0,0 @@ -Upstream-Status: Pending -Update to build with openssl 1.1.x - -Signed-off-by: Armin Kuster - -Index: git/src/cmds/tpm_extendpcr.c -=================================================================== ---- git.orig/src/cmds/tpm_extendpcr.c -+++ git/src/cmds/tpm_extendpcr.c -@@ -136,7 +136,7 @@ int main(int argc, char **argv) - - unsigned char msg[EVP_MAX_MD_SIZE]; - unsigned int msglen; -- EVP_MD_CTX ctx; -+ EVP_MD_CTX *ctx = EVP_MD_CTX_new(); - EVP_DigestInit(&ctx, EVP_sha1()); - while ((lineLen = BIO_read(bin, line, sizeof(line))) > 0) - EVP_DigestUpdate(&ctx, line, lineLen); diff --git a/meta-tpm/recipes-tpm/tpm-tools/files/tpm-tools-extendpcr.patch b/meta-tpm/recipes-tpm/tpm-tools/files/tpm-tools-extendpcr.patch deleted file mode 100644 index 40150af..0000000 --- a/meta-tpm/recipes-tpm/tpm-tools/files/tpm-tools-extendpcr.patch +++ /dev/null @@ -1,244 +0,0 @@ -Index: git/include/tpm_tspi.h -=================================================================== ---- git.orig/include/tpm_tspi.h -+++ git/include/tpm_tspi.h -@@ -117,6 +117,10 @@ TSS_RESULT tpmPcrRead(TSS_HTPM a_hTpm, U - UINT32 *a_PcrSize, BYTE **a_PcrValue); - TSS_RESULT pcrcompositeSetPcrValue(TSS_HPCRS a_hPcrs, UINT32 a_Idx, - UINT32 a_PcrSize, BYTE *a_PcrValue); -+TSS_RESULT tpmPcrExtend(TSS_HTPM a_hTpm, UINT32 a_Idx, -+ UINT32 a_DataSize, BYTE *a_Data, -+ TSS_PCR_EVENT *a_Event, -+ UINT32 *a_PcrSize, BYTE **a_PcrValue); - #ifdef TSS_LIB_IS_12 - TSS_RESULT unloadVersionInfo(UINT64 *offset, BYTE *blob, TPM_CAP_VERSION_INFO *v); - TSS_RESULT pcrcompositeSetPcrLocality(TSS_HPCRS a_hPcrs, UINT32 localityValue); -Index: git/lib/tpm_tspi.c -=================================================================== ---- git.orig/lib/tpm_tspi.c -+++ git/lib/tpm_tspi.c -@@ -594,6 +594,20 @@ pcrcompositeSetPcrValue(TSS_HPCRS a_hPcr - return result; - } - -+TSS_RESULT -+tpmPcrExtend(TSS_HTPM a_hTpm, UINT32 a_Idx, -+ UINT32 a_DataSize, BYTE *a_Data, -+ TSS_PCR_EVENT *a_Event, -+ UINT32 *a_PcrSize, BYTE **a_PcrValue) -+{ -+ TSS_RESULT result = -+ Tspi_TPM_PcrExtend(a_hTpm, a_Idx, a_DataSize, a_Data, a_Event, -+ a_PcrSize, a_PcrValue); -+ tspiResult("Tspi_TPM_PcrExtend", result); -+ -+ return result; -+} -+ - #ifdef TSS_LIB_IS_12 - /* - * These getPasswd functions will wrap calls to the other functions and check to see if the TSS -Index: git/src/cmds/Makefile.am -=================================================================== ---- git.orig/src/cmds/Makefile.am -+++ git/src/cmds/Makefile.am -@@ -22,6 +22,7 @@ - # - - bin_PROGRAMS = tpm_sealdata \ -+ tpm_extendpcr \ - tpm_unsealdata - - if TSS_LIB_IS_12 -@@ -33,4 +34,5 @@ endif - LDADD = $(top_builddir)/lib/libtpm_tspi.la -ltspi $(top_builddir)/lib/libtpm_unseal.la -ltpm_unseal -lcrypto @INTLLIBS@ - - tpm_sealdata_SOURCES = tpm_sealdata.c -+tpm_extendpcr_SOURCES = tpm_extendpcr.c - tpm_unsealdata_SOURCES = tpm_unsealdata.c -Index: git/src/cmds/tpm_extendpcr.c -=================================================================== ---- /dev/null -+++ git/src/cmds/tpm_extendpcr.c -@@ -0,0 +1,181 @@ -+/* -+ * The Initial Developer of the Original Code is International -+ * Business Machines Corporation. Portions created by IBM -+ * Corporation are Copyright (C) 2005, 2006 International Business -+ * Machines Corporation. All Rights Reserved. -+ * -+ * This program is free software; you can redistribute it and/or modify -+ * it under the terms of the Common Public License as published by -+ * IBM Corporation; either version 1 of the License, or (at your option) -+ * any later version. -+ * -+ * This program is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * Common Public License for more details. -+ * -+ * You should have received a copy of the Common Public License -+ * along with this program; if not, a copy can be viewed at -+ * http://www.opensource.org/licenses/cpl1.0.php. -+ */ -+#include -+#include -+#include -+#include "tpm_tspi.h" -+#include "tpm_utils.h" -+#include "tpm_seal.h" -+ -+// #define TPM_EXTENDPCR_DEBUG -+ -+static void help(const char *aCmd) -+{ -+ logCmdHelp(aCmd); -+ logCmdOption("-i, --infile FILE", -+ _ -+ ("Filename containing data to extend PCRs with. Default is STDIN.")); -+ logCmdOption("-p, --pcr NUMBER", -+ _("PCR to extend.")); -+ -+} -+ -+static char in_filename[PATH_MAX] = ""; -+static TSS_HPCRS hPcrs = NULL_HPCRS; -+static TSS_HTPM hTpm; -+static UINT32 selectedPcrs[24]; -+static UINT32 selectedPcrsLen = 0; -+TSS_HCONTEXT hContext = 0; -+ -+static int parse(const int aOpt, const char *aArg) -+{ -+ int rc = -1; -+ -+ switch (aOpt) { -+ case 'i': -+ if (aArg) { -+ strncpy(in_filename, aArg, PATH_MAX); -+ rc = 0; -+ } -+ break; -+ case 'p': -+ if (aArg) { -+ selectedPcrs[selectedPcrsLen++] = atoi(aArg); -+ rc = 0; -+ } -+ break; -+ default: -+ break; -+ } -+ return rc; -+ -+} -+ -+int main(int argc, char **argv) -+{ -+ -+ int iRc = -1; -+ struct option opts[] = { -+ {"infile", required_argument, NULL, 'i'}, -+ {"pcr", required_argument, NULL, 'p'}, -+ }; -+ unsigned char line[EVP_MD_block_size(EVP_sha1()) * 16]; -+ int lineLen; -+ UINT32 i; -+ -+ BIO *bin = NULL; -+ -+ initIntlSys(); -+ -+ if (genericOptHandler(argc, argv, "i:p:", opts, -+ sizeof(opts) / sizeof(struct option), parse, -+ help) != 0) -+ goto out; -+ -+ if (contextCreate(&hContext) != TSS_SUCCESS) -+ goto out; -+ -+ if (contextConnect(hContext) != TSS_SUCCESS) -+ goto out_close; -+ -+ if (contextGetTpm(hContext, &hTpm) != TSS_SUCCESS) -+ goto out_close; -+ -+ /* Create a BIO for the input file */ -+ if ((bin = BIO_new(BIO_s_file())) == NULL) { -+ logError(_("Unable to open input BIO\n")); -+ goto out_close; -+ } -+ -+ /* Assign the input file to the BIO */ -+ if (strlen(in_filename) == 0) -+ BIO_set_fp(bin, stdin, BIO_NOCLOSE); -+ else if (!BIO_read_filename(bin, in_filename)) { -+ logError(_("Unable to open input file: %s\n"), -+ in_filename); -+ goto out_close; -+ } -+ -+ /* Create the PCRs object. If any PCRs above 15 are selected, this will need to be -+ * a 1.2 TSS/TPM */ -+ if (selectedPcrsLen) { -+ TSS_FLAG initFlag = 0; -+ UINT32 pcrSize; -+ BYTE *pcrValue; -+ -+ for (i = 0; i < selectedPcrsLen; i++) { -+ if (selectedPcrs[i] > 15) { -+#ifdef TSS_LIB_IS_12 -+ initFlag |= TSS_PCRS_STRUCT_INFO_LONG; -+#else -+ logError(_("This version of %s was compiled for a v1.1 TSS, which " -+ "can only seal\n data to PCRs 0-15. PCR %u is out of range" -+ "\n"), argv[0], selectedPcrs[i]); -+ goto out_close; -+#endif -+ } -+ } -+ -+ unsigned char msg[EVP_MAX_MD_SIZE]; -+ unsigned int msglen; -+ EVP_MD_CTX ctx; -+ EVP_DigestInit(&ctx, EVP_sha1()); -+ while ((lineLen = BIO_read(bin, line, sizeof(line))) > 0) -+ EVP_DigestUpdate(&ctx, line, lineLen); -+ EVP_DigestFinal(&ctx, msg, &msglen); -+ -+ if (contextCreateObject(hContext, TSS_OBJECT_TYPE_PCRS, initFlag, -+ &hPcrs) != TSS_SUCCESS) -+ goto out_close; -+ -+ for (i = 0; i < selectedPcrsLen; i++) { -+#ifdef TPM_EXTENDPCR_DEBUG -+ if (tpmPcrRead(hTpm, selectedPcrs[i], &pcrSize, &pcrValue) != TSS_SUCCESS) -+ goto out_close; -+ -+ unsigned int j; -+ for (j = 0; j < pcrSize; j++) -+ printf("%02X ", pcrValue[j]); -+ printf("\n"); -+#endif -+ -+ if (tpmPcrExtend(hTpm, selectedPcrs[i], msglen, msg, NULL, &pcrSize, &pcrValue) != TSS_SUCCESS) -+ goto out_close; -+ -+#ifdef TPM_EXTENDPCR_DEBUG -+ for (j = 0; j < pcrSize; j++) -+ printf("%02X ", pcrValue[j]); -+ printf("\n"); -+#endif -+ } -+ } -+ -+ iRc = 0; -+ logSuccess(argv[0]); -+ -+out_close: -+ contextClose(hContext); -+ -+out: -+ if (bin) -+ BIO_free(bin); -+ return iRc; -+} diff --git a/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.2.bb b/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.2.bb deleted file mode 100644 index b47d53a..0000000 --- a/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.2.bb +++ /dev/null @@ -1,35 +0,0 @@ -SUMMARY = "The tpm-tools package contains commands to allow the platform administrator the ability to manage and diagnose the platform's TPM." -DESCRIPTION = " \ - The tpm-tools package contains commands to allow the platform administrator \ - the ability to manage and diagnose the platform's TPM. Additionally, the \ - package contains commands to utilize some of the capabilities available \ - in the TPM PKCS#11 interface implemented in the openCryptoki project. \ - " -SECTION = "tpm" -LICENSE = "CPL-1.0" -LIC_FILES_CHKSUM = "file://LICENSE;md5=059e8cd6165cb4c31e351f2b69388fd9" - -DEPENDS = "libtspi openssl perl-native" -DEPENDS:class-native = "trousers-native" - -SRCREV = "bf43837575c5f7d31865562dce7778eae970052e" -SRC_URI = " \ - git://git.code.sf.net/p/trousers/tpm-tools;branch=master \ - file://tpm-tools-extendpcr.patch \ - file://04-fix-FTBFS-clang.patch \ - file://openssl1.1_fix.patch \ - " - -inherit autotools-brokensep gettext - -S = "${WORKDIR}/git" - -do_configure:prepend () { - mkdir -p po - mkdir -p m4 - cp -R po_/* po/ - touch po/Makefile.in.in - touch m4/Makefile.am -} - -BBCLASSEXTEND = "native" diff --git a/meta-tpm/recipes-tpm/trousers/files/0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch b/meta-tpm/recipes-tpm/trousers/files/0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch deleted file mode 100644 index 7b3cc77..0000000 --- a/meta-tpm/recipes-tpm/trousers/files/0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 3396fc7a184293c23135161f034802062f7f3816 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Andr=C3=A9=20Draszik?= -Date: Wed, 1 Nov 2017 11:41:48 +0000 -Subject: [PATCH] build: don't override --localstatedir --mandir --sysconfdir -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -It is currently impossible to override localstatedir, -mandir and sysconfdir during ./configure, because they -are being overriden unconditionally because of they -way trousers is built using rpmbuild. - -If they need massaging for rpmbuild, the values should -be specified inside the spec file, not in ./configure -and thereby overriding user-requested values. - -With this patch it is now possible to set above -locations as needed. The .spec file is being modified -as well so as to restore previous behaviour. - -Signed-off-by: André Draszik ---- -Upstream-Status: Submitted [https://sourceforge.net/p/trousers/mailman/message/36099290/] -Signed-off-by: André Draszik - configure.ac | 11 ++--------- - dist/trousers.spec.in | 2 +- - 2 files changed, 3 insertions(+), 10 deletions(-) - -diff --git a/configure.ac b/configure.ac -index b9626af..7fe5f8e 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -376,16 +376,9 @@ CFLAGS="$CFLAGS -I../include \ - KERNEL_VERSION=`uname -r` - AC_SUBST(CFLAGS) - --# When we build the rpms, prefix will be /usr. This'll do some things that make sense, --# like put our sbin stuff in /usr/sbin and our library in /usr/lib. It'll do some other --# things that don't make sense like put our config file in /usr/etc. So, I'll just hack --# it here. If the --prefix option isn't specified during configure, let it all go to -+# If the --prefix option isn't specified during configure, let it all go to - # /usr/local, even /usr/local/etc. :-P --if test x"${prefix}" = x"/usr"; then -- sysconfdir="/etc" -- localstatedir="/var" -- mandir="/usr/share/man" --elif test x"${prefix}" = x"NONE"; then -+if test x"${prefix}" = x"NONE"; then - localstatedir="/usr/local/var" - fi - -diff --git a/dist/trousers.spec.in b/dist/trousers.spec.in -index b298b0e..10ef178 100644 ---- a/dist/trousers.spec.in -+++ b/dist/trousers.spec.in -@@ -45,7 +45,7 @@ applications. - - %build - %{?arch64:export PKG_CONFIG_PATH=%{pkgconfig_path}:$PKG_CONFIG_PATH} --./configure --prefix=/usr --libdir=%{_libdir} -+./configure --prefix=/usr --libdir=%{_libdir} --sysconfdir=/etc --localstatedir=/var --mandir=/usr/share/man - make - - %clean --- -2.15.0.rc1 - diff --git a/meta-tpm/recipes-tpm/trousers/files/get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch b/meta-tpm/recipes-tpm/trousers/files/get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch deleted file mode 100644 index 3f5a144..0000000 --- a/meta-tpm/recipes-tpm/trousers/files/get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch +++ /dev/null @@ -1,49 +0,0 @@ -trousers: fix compiling with musl - -use POSIX getpwent instead of getpwent_r - -Upstream-Status: Submitted - -Signed-off-by: Armin Kuster - -Index: git/src/tspi/ps/tspps.c -=================================================================== ---- git.orig/src/tspi/ps/tspps.c -+++ git/src/tspi/ps/tspps.c -@@ -66,9 +66,6 @@ get_user_ps_path(char **file) - TSS_RESULT result; - char *file_name = NULL, *home_dir = NULL; - struct passwd *pwp; --#if (defined (__linux) || defined (linux) || defined(__GLIBC__)) -- struct passwd pw; --#endif - struct stat stat_buf; - char buf[PASSWD_BUFSIZE]; - uid_t euid; -@@ -96,24 +93,15 @@ get_user_ps_path(char **file) - #else - setpwent(); - while (1) { --#if (defined (__linux) || defined (linux) || defined(__GLIBC__)) -- rc = getpwent_r(&pw, buf, PASSWD_BUFSIZE, &pwp); -- if (rc) { -- LogDebugFn("USER PS: Error getting path to home directory: getpwent_r: %s", -- strerror(rc)); -- endpwent(); -- return TSPERR(TSS_E_INTERNAL_ERROR); -- } -- --#elif (defined (__FreeBSD__) || defined (__OpenBSD__)) - if ((pwp = getpwent()) == NULL) { - LogDebugFn("USER PS: Error getting path to home directory: getpwent: %s", - strerror(rc)); - endpwent(); -+#if (defined (__FreeBSD__) || defined (__OpenBSD__)) - MUTEX_UNLOCK(user_ps_path); -+#endif - return TSPERR(TSS_E_INTERNAL_ERROR); - } --#endif - if (euid == pwp->pw_uid) { - home_dir = strdup(pwp->pw_dir); - break; diff --git a/meta-tpm/recipes-tpm/trousers/files/tcsd.service b/meta-tpm/recipes-tpm/trousers/files/tcsd.service deleted file mode 100644 index 787d4e9..0000000 --- a/meta-tpm/recipes-tpm/trousers/files/tcsd.service +++ /dev/null @@ -1,10 +0,0 @@ -[Unit] -Description=TCG Core Services Daemon -After=syslog.target - -[Service] -Type=forking -ExecStart=@SBINDIR@/tcsd - -[Install] -WantedBy=multi-user.target diff --git a/meta-tpm/recipes-tpm/trousers/files/trousers-udev.rules b/meta-tpm/recipes-tpm/trousers/files/trousers-udev.rules deleted file mode 100644 index 256babd..0000000 --- a/meta-tpm/recipes-tpm/trousers/files/trousers-udev.rules +++ /dev/null @@ -1,2 +0,0 @@ -# trousers daemon expects tpm device to be owned by tss user & group -KERNEL=="tpm[0-9]*", MODE="0600", OWNER="tss", GROUP="tss" diff --git a/meta-tpm/recipes-tpm/trousers/files/trousers.init.sh b/meta-tpm/recipes-tpm/trousers/files/trousers.init.sh deleted file mode 100644 index d0d6cb3..0000000 --- a/meta-tpm/recipes-tpm/trousers/files/trousers.init.sh +++ /dev/null @@ -1,67 +0,0 @@ -#!/bin/sh - -### BEGIN INIT INFO -# Provides: tcsd trousers -# Required-Start: $local_fs $remote_fs $network -# Required-Stop: $local_fs $remote_fs $network -# Should-Start: -# Should-Stop: -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: starts tcsd -# Description: tcsd belongs to the TrouSerS TCG Software Stack -### END INIT INFO - -PATH=/sbin:/bin:/usr/sbin:/usr/bin -DAEMON=/usr/sbin/tcsd -NAME=tcsd -DESC="Trusted Computing daemon" -USER="tss" - -test -x "${DAEMON}" || exit 0 - -# Read configuration variable file if it is present -[ -r /etc/default/$NAME ] && . /etc/default/$NAME - -case "${1}" in - start) - echo "Starting $DESC: " - - if [ ! -e /dev/tpm* ] - then - echo "device driver not loaded, skipping." - exit 0 - fi - - start-stop-daemon --start --quiet --oknodo \ - --pidfile /var/run/${NAME}.pid --make-pidfile --background \ - --user ${USER} --chuid ${USER} \ - --exec ${DAEMON} -- ${DAEMON_OPTS} --foreground - RETVAL="$?" - echo "$NAME." - exit $RETVAL - ;; - - stop) - echo "Stopping $DESC: " - - start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/${NAME}.pid --user ${USER} --exec ${DAEMON} - RETVAL="$?" - echo "$NAME." - rm -f /var/run/${NAME}.pid - exit $RETVAL - ;; - - restart|force-reload) - "${0}" stop - sleep 1 - "${0}" start - exit $? - ;; - *) - echo "Usage: ${NAME} {start|stop|restart|force-reload|status}" >&2 - exit 3 - ;; -esac - -exit 0 diff --git a/meta-tpm/recipes-tpm/trousers/trousers_git.bb b/meta-tpm/recipes-tpm/trousers/trousers_git.bb deleted file mode 100644 index 192c66c..0000000 --- a/meta-tpm/recipes-tpm/trousers/trousers_git.bb +++ /dev/null @@ -1,120 +0,0 @@ -SUMMARY = "TrouSerS - An open-source TCG Software Stack implementation." -LICENSE = "BSD-3-Clause" -HOMEPAGE = "http://sourceforge.net/projects/trousers/" -LIC_FILES_CHKSUM = "file://README;startline=3;endline=4;md5=2af28fbed0832e4d83a9e6dd68bb4413" -SECTION = "security/tpm" - -DEPENDS = "openssl" - -SRCREV = "94144b0a1dcef6e31845d6c319e9bd7357208eb9" -PV = "0.3.15+git${SRCPV}" - -SRC_URI = " \ - git://git.code.sf.net/p/trousers/trousers;branch=master \ - file://trousers.init.sh \ - file://trousers-udev.rules \ - file://tcsd.service \ - file://get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch \ - file://0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch \ - " - -S = "${WORKDIR}/git" - -inherit autotools pkgconfig useradd update-rc.d ${@bb.utils.contains('VIRTUAL-RUNTIME_init_manager','systemd','systemd','', d)} - -PACKAGECONFIG ?= "gmp " -PACKAGECONFIG[gmp] = "--with-gmp, --with-gmp=no, gmp" -PACKAGECONFIG[gtk] = "--with-gui=gtk, --with-gui=none, gtk+" - -do_install () { - oe_runmake DESTDIR=${D} install -} - -do_install:append() { - install -d ${D}${sysconfdir}/init.d - install -m 0755 ${WORKDIR}/trousers.init.sh ${D}${sysconfdir}/init.d/trousers - install -d ${D}${sysconfdir}/udev/rules.d - install -m 0644 ${WORKDIR}/trousers-udev.rules ${D}${sysconfdir}/udev/rules.d/45-trousers.rules - - if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then - install -d ${D}${systemd_unitdir}/system - install -m 0644 ${WORKDIR}/tcsd.service ${D}${systemd_unitdir}/system/ - sed -i -e 's#@SBINDIR@#${sbindir}#g' ${D}${systemd_unitdir}/system/tcsd.service - fi -} - -CONFFILES:${PN} += "${sysconfig}/tcsd.conf" - -PROVIDES = "${PACKAGES}" -PACKAGES = " \ - libtspi \ - libtspi-dbg \ - libtspi-dev \ - libtspi-doc \ - libtspi-staticdev \ - trousers \ - trousers-dbg \ - trousers-doc \ - " - -# libtspi needs tcsd for most (all?) operations, so suggest to -# install that. -RRECOMMENDS:libtspi = "${PN}" - -FILES:libtspi = " \ - ${libdir}/*.so.1 \ - ${libdir}/*.so.1.2.0 \ - " -FILES:libtspi-dbg = " \ - ${libdir}/.debug \ - ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/tspi \ - ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/trspi \ - ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/include/*.h \ - ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/include/tss \ - " -FILES:libtspi-dev = " \ - ${includedir} \ - ${libdir}/*.so \ - " -FILES:libtspi-doc = " \ - ${mandir}/man3 \ - " -FILES:libtspi-staticdev = " \ - ${libdir}/*.la \ - ${libdir}/*.a \ - " -FILES:${PN} = " \ - ${sbindir}/tcsd \ - ${sysconfdir} \ - ${localstatedir} \ - " - -FILES:${PN}-dev += "${libdir}/trousers" - -FILES:${PN}-dbg = " \ - ${sbindir}/.debug \ - ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/tcs \ - ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/tcsd \ - ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/tddl \ - ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/trousers \ - ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/include/trousers \ - " -FILES:${PN}-doc = " \ - ${mandir}/man5 \ - ${mandir}/man8 \ - " - -FILES:${PN} += "${systemd_unitdir}/*" - -INITSCRIPT_NAME = "trousers" -INITSCRIPT_PARAMS = "start 99 2 3 4 5 . stop 19 0 1 6 ." - -USERADD_PACKAGES = "${PN}" -GROUPADD_PARAM:${PN} = "--system tss" -USERADD_PARAM:${PN} = "--system -M -d /var/lib/tpm -s /bin/false -g tss tss" - -SYSTEMD_PACKAGES = "${PN}" -SYSTEMD_SERVICE:${PN} = "tcsd.service" -SYSTEMD_AUTO_ENABLE = "disable" - -BBCLASSEXTEND = "native" diff --git a/meta-tpm/recipes-tpm1/hoth/libhoth_git.bb b/meta-tpm/recipes-tpm1/hoth/libhoth_git.bb new file mode 100644 index 0000000..a3ebce7 --- /dev/null +++ b/meta-tpm/recipes-tpm1/hoth/libhoth_git.bb @@ -0,0 +1,17 @@ +SUMMARY = "Google Hoth USB library" +DESCRIPTION = "Libraries and example programs for interacting with a \ + hoth-class root of trust." +HOMEPAGE = "https://github.com/google/libhoth" + +LICENSE = "Apache-2.0" +LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" + +SRC_URI = "git://github.com/google/libhoth;protocol=https;branch=main" +SRCREV = "1622e8a040d21dd564fdc1cb4df5eda01688c197" + +DEPENDS += "libusb1" + +S = "${WORKDIR}/git" + +inherit pkgconfig meson + diff --git a/meta-tpm/recipes-tpm1/libtpm/files/Convert-another-vdprintf-to-dprintf.patch b/meta-tpm/recipes-tpm1/libtpm/files/Convert-another-vdprintf-to-dprintf.patch new file mode 100644 index 0000000..9e1021a --- /dev/null +++ b/meta-tpm/recipes-tpm1/libtpm/files/Convert-another-vdprintf-to-dprintf.patch @@ -0,0 +1,26 @@ +From 09e7dd42e5201d079bad70e9f7cc6033ce1c7cad Mon Sep 17 00:00:00 2001 +From: Stefan Berger +Date: Fri, 3 Feb 2017 10:58:22 -0500 +Subject: [PATCH] Convert another vdprintf to dprintf + +Signed-off-by: Stefan Berger +Upstream-Status: Backport +Signed-off-by: Armin Kuster + +--- + src/tpm_library.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: git/src/tpm_library.c +=================================================================== +--- git.orig/src/tpm_library.c ++++ git/src/tpm_library.c +@@ -427,7 +427,7 @@ void TPMLIB_LogPrintfA(unsigned int inde + indent = sizeof(spaces) - 1; + memset(spaces, ' ', indent); + spaces[indent] = 0; +- vdprintf(debug_fd, spaces, NULL); ++ dprintf(debug_fd, "%s", spaces); + } + + va_start(args, format); diff --git a/meta-tpm/recipes-tpm1/libtpm/files/Use-format-s-for-call-to-dprintf.patch b/meta-tpm/recipes-tpm1/libtpm/files/Use-format-s-for-call-to-dprintf.patch new file mode 100644 index 0000000..a71b5c1 --- /dev/null +++ b/meta-tpm/recipes-tpm1/libtpm/files/Use-format-s-for-call-to-dprintf.patch @@ -0,0 +1,33 @@ +From 6a9b4e5d70f770aa9ca31e3e6d3b1ae72c192070 Mon Sep 17 00:00:00 2001 +From: Stefan Berger +Date: Tue, 31 Jan 2017 20:10:51 -0500 +Subject: [PATCH] Use format '%s' for call to dprintf + +Fix the dprintf call to use a format parameter that otherwise causes +errors with gcc on certain platforms. + +Signed-off-by: Stefan Berger + +Upstream-Status: Backport +replaces local patch +Signed-off-by: Armin Kuster + +--- + src/tpm_library.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +Index: git/src/tpm_library.c +=================================================================== +--- git.orig/src/tpm_library.c ++++ git/src/tpm_library.c +@@ -405,8 +405,8 @@ int TPMLIB_LogPrintf(const char *format, + } + + if (debug_prefix) +- dprintf(debug_fd, debug_prefix); +- dprintf(debug_fd, buffer); ++ dprintf(debug_fd, "%s", debug_prefix); ++ dprintf(debug_fd, "%s", buffer); + + return i; + } diff --git a/meta-tpm/recipes-tpm1/libtpm/files/fix_signed_issue.patch b/meta-tpm/recipes-tpm1/libtpm/files/fix_signed_issue.patch new file mode 100644 index 0000000..fc13aa5 --- /dev/null +++ b/meta-tpm/recipes-tpm1/libtpm/files/fix_signed_issue.patch @@ -0,0 +1,48 @@ +Upstream-Status: Pending +Signed-off-by: Armin kuster + +Index: git/src/swtpm/ctrlchannel.c +=================================================================== +--- git.orig/src/swtpm/ctrlchannel.c ++++ git/src/swtpm/ctrlchannel.c +@@ -152,7 +152,8 @@ static int ctrlchannel_receive_state(ptm + uint32_t tpm_number = 0; + unsigned char *blob = NULL; + uint32_t blob_length = be32toh(pss->u.req.length); +- uint32_t remain = blob_length, offset = 0; ++ ssize_t remain = (ssize_t) blob_length; ++ uint32_t offset = 0; + TPM_RESULT res; + uint32_t flags = be32toh(pss->u.req.state_flags); + TPM_BOOL is_encrypted = (flags & PTM_STATE_FLAG_ENCRYPTED) != 0; +Index: git/src/swtpm_ioctl/tpm_ioctl.c +=================================================================== +--- git.orig/src/swtpm_ioctl/tpm_ioctl.c ++++ git/src/swtpm_ioctl/tpm_ioctl.c +@@ -303,7 +303,7 @@ static int do_save_state_blob(int fd, bo + numbytes = write(file_fd, pgs.u.resp.data, + devtoh32(is_chardev, pgs.u.resp.length)); + +- if (numbytes != devtoh32(is_chardev, pgs.u.resp.length)) { ++ if (numbytes != (ssize_t) devtoh32(is_chardev, pgs.u.resp.length)) { + fprintf(stderr, + "Could not write to file '%s': %s\n", + filename, strerror(errno)); +@@ -420,7 +420,7 @@ static int do_load_state_blob(int fd, bo + had_error = true; + break; + } +- pss.u.req.length = htodev32(is_chardev, numbytes); ++ pss.u.req.length = htodev32(is_chardev, (uint32_t) numbytes); + + /* the returnsize is zero on all intermediate packets */ + returnsize = ((size_t)numbytes < sizeof(pss.u.req.data)) +@@ -863,7 +863,7 @@ int main(int argc, char *argv[]) + return EXIT_FAILURE; + } + /* no tpm_result here */ +- printf("ptm capability is 0x%lx\n", (uint64_t)devtoh64(is_chardev, cap)); ++ printf("ptm capability is 0x%llx\n", (uint64_t)devtoh64(is_chardev, cap)); + + } else if (!strcmp(command, "-i")) { + init.u.req.init_flags = htodev32(is_chardev, PTM_INIT_FLAG_DELETE_VOLATILE); diff --git a/meta-tpm/recipes-tpm1/libtpm/libtpm_0.9.5.bb b/meta-tpm/recipes-tpm1/libtpm/libtpm_0.9.5.bb new file mode 100644 index 0000000..cf80064 --- /dev/null +++ b/meta-tpm/recipes-tpm1/libtpm/libtpm_0.9.5.bb @@ -0,0 +1,16 @@ +SUMMARY = "LIBPM - Software TPM Library" +LICENSE = "BSD-3-Clause" +LIC_FILES_CHKSUM = "file://LICENSE;md5=e73f0786a936da3814896df06ad225a9" + +SRCREV = "df1c3e98d697f3c1f09262d2ba161a7db784d6cc" +SRC_URI = "git://github.com/stefanberger/libtpms.git;branch=stable-0.9;protocol=https" + +PE = "1" + +S = "${WORKDIR}/git" +inherit autotools-brokensep pkgconfig perlnative + +PACKAGECONFIG ?= "openssl" +PACKAGECONFIG[openssl] = "--with-openssl, --without-openssl, openssl" + +BBCLASSEXTEND = "native" diff --git a/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch b/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch new file mode 100644 index 0000000..bed8b92 --- /dev/null +++ b/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch @@ -0,0 +1,99 @@ +commit 16dac0cb7b73b8a7088300e45b98ac20819b03ed +Author: Junxian.Xiao +Date: Wed Jun 19 18:57:13 2013 +0800 + +support well-known password in openssl-tpm-engine. + +Add "-z" option to select well known password in create_tpm_key tool. + +Signed-off-by: Junxian.Xiao + +Index: git/src/create_tpm_key.c +=================================================================== +--- git.orig/src/create_tpm_key.c ++++ git/src/create_tpm_key.c +@@ -48,6 +48,8 @@ + + #include "ssl_compat.h" + ++#define TPM_WELL_KNOWN_KEY_LEN 20 /*well know key length is 20 bytes zero*/ ++ + #define print_error(a,b) \ + fprintf(stderr, "%s:%d %s result: 0x%x (%s)\n", __FILE__, __LINE__, \ + a, b, Trspi_Error_String(b)) +@@ -72,6 +74,7 @@ usage(char *argv0) + "\t\t-e|--enc-scheme encryption scheme to use [PKCSV15] or OAEP\n" + "\t\t-q|--sig-scheme signature scheme to use [DER] or SHA1\n" + "\t\t-s|--key-size key size in bits [2048]\n" ++ "\t\t-z|--zerokey use well known 20 bytes zero as SRK password.\n" + "\t\t-a|--auth require a password for the key [NO]\n" + "\t\t-p|--popup use TSS GUI popup dialogs to get the password " + "for the\n\t\t\t\t key [NO] (implies --auth)\n" +@@ -154,6 +157,7 @@ int main(int argc, char **argv) + int asn1_len; + char *filename, c, *openssl_key = NULL; + int option_index, auth = 0, popup = 0, wrap = 0; ++ int wellknownkey = 0; + UINT32 enc_scheme = TSS_ES_RSAESPKCSV15; + UINT32 sig_scheme = TSS_SS_RSASSAPKCS1V15_DER; + UINT32 key_size = 2048; +@@ -161,12 +165,15 @@ int main(int argc, char **argv) + + while (1) { + option_index = 0; +- c = getopt_long(argc, argv, "pe:q:s:ahw:", ++ c = getopt_long(argc, argv, "pe:q:s:zahw:", + long_options, &option_index); + if (c == -1) + break; + + switch (c) { ++ case 'z': ++ wellknownkey = 1; ++ break; + case 'a': + initFlags |= TSS_KEY_AUTHORIZATION; + auth = 1; +@@ -300,6 +307,8 @@ int main(int argc, char **argv) + + if (srk_authusage) { + char *authdata = calloc(1, 128); ++ TSS_FLAG secretMode = TSS_SECRET_MODE_PLAIN; ++ int authlen = 0; + + if (!authdata) { + fprintf(stderr, "malloc failed.\n"); +@@ -316,17 +325,26 @@ int main(int argc, char **argv) + exit(result); + } + +- if (EVP_read_pw_string(authdata, 128, "SRK Password: ", 0)) { +- Tspi_Context_CloseObject(hContext, hKey); +- Tspi_Context_Close(hContext); +- free(authdata); +- exit(result); ++ if (wellknownkey) { ++ memset(authdata, 0, TPM_WELL_KNOWN_KEY_LEN); ++ secretMode = TSS_SECRET_MODE_SHA1; ++ authlen = TPM_WELL_KNOWN_KEY_LEN; ++ } ++ else { ++ if (EVP_read_pw_string(authdata, 128, "SRK Password: ", 0)) { ++ Tspi_Context_CloseObject(hContext, hKey); ++ Tspi_Context_Close(hContext); ++ free(authdata); ++ exit(result); ++ } ++ secretMode = TSS_SECRET_MODE_PLAIN; ++ authlen = strlen(authdata); + } + + //Set Secret + if ((result = Tspi_Policy_SetSecret(srkUsagePolicy, +- TSS_SECRET_MODE_PLAIN, +- strlen(authdata), ++ secretMode, ++ authlen, + (BYTE *)authdata))) { + print_error("Tspi_Policy_SetSecret", result); + free(authdata); diff --git a/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch b/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch new file mode 100644 index 0000000..2caaaf0 --- /dev/null +++ b/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch @@ -0,0 +1,80 @@ +commit 16dac0cb7b73b8a7088300e45b98ac20819b03ed +Author: Junxian.Xiao +Date: Wed Jun 19 18:57:13 2013 +0800 + +support reading SRK password from env TPM_SRK_PW + +Add "env TPM_SRK_PW=xxxx" to set password for libtpm.so. Specially, +use "env TPM_SRK_PW=#WELLKNOWN#" to set well known password. + +Signed-off-by: Junxian.Xiao + +Index: git/src/e_tpm.c +=================================================================== +--- git.orig/src/e_tpm.c ++++ git/src/e_tpm.c +@@ -38,6 +38,8 @@ + #include "e_tpm.h" + #include "ssl_compat.h" + ++#define TPM_WELL_KNOWN_KEY_LEN 20 /*well know key length is 20 bytes zero*/ ++ + //#define DLOPEN_TSPI + + #ifndef OPENSSL_NO_HW +@@ -262,6 +264,10 @@ int tpm_load_srk(UI_METHOD *ui, void *cb + TSS_RESULT result; + UINT32 authusage; + BYTE *auth; ++ char *srkPasswd = NULL; ++ TSS_FLAG secretMode = secret_mode; ++ int authlen = 0; ++ + + if (hSRK != NULL_HKEY) { + DBGFN("SRK is already loaded."); +@@ -313,18 +319,36 @@ int tpm_load_srk(UI_METHOD *ui, void *cb + return 0; + } + +- if (!tpm_engine_get_auth(ui, (char *)auth, 128, "SRK authorization: ", +- cb_data)) { +- Tspi_Context_CloseObject(hContext, hSRK); +- free(auth); +- TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED); +- return 0; ++ srkPasswd = getenv("TPM_SRK_PW"); ++ if (NULL != srkPasswd) { ++ if (0 == strcmp(srkPasswd, "#WELLKNOWN#")) { ++ memset(auth, 0, TPM_WELL_KNOWN_KEY_LEN); ++ secretMode = TSS_SECRET_MODE_SHA1; ++ authlen = TPM_WELL_KNOWN_KEY_LEN; ++ } else { ++ int authbuflen = 128; ++ memset(auth, 0, authbuflen); ++ strncpy(auth, srkPasswd, authbuflen-1); ++ secretMode = TSS_SECRET_MODE_PLAIN; ++ authlen = strlen(auth); ++ } ++ } ++ else { ++ if (!tpm_engine_get_auth(ui, (char *)auth, 128, ++ "SRK authorization: ", cb_data)) { ++ Tspi_Context_CloseObject(hContext, hSRK); ++ free(auth); ++ TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED); ++ return 0; ++ } ++ secretMode = secret_mode; ++ authlen = strlen(auth); + } + + /* secret_mode is a global that may be set by engine ctrl + * commands. By default, its set to TSS_SECRET_MODE_PLAIN */ +- if ((result = Tspi_Policy_SetSecret(hSRKPolicy, secret_mode, +- strlen((char *)auth), auth))) { ++ if ((result = Tspi_Policy_SetSecret(hSRKPolicy, secretMode, ++ authlen, auth))) { + Tspi_Context_CloseObject(hContext, hSRK); + free(auth); + TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED); diff --git a/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch b/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch new file mode 100644 index 0000000..cc8772d --- /dev/null +++ b/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch @@ -0,0 +1,251 @@ +From eb28ad92a2722fd30f8114840cf2b1ade26b80ee Mon Sep 17 00:00:00 2001 +From: Limeng +Date: Fri, 23 Jun 2017 11:39:04 +0800 +Subject: [PATCH] tpm:openssl-tpm-engine:parse an encrypted tpm SRK password + from env + +Before, we support reading SRK password from env TPM_SRK_PW, +but it is a plain password and not secure. +So, we improve it and support to get an encrypted (AES algorithm) +SRK password from env, and then parse it. The default decrypting +AES password and salt is set in bb file. +When we initialize TPM, and set a SRK pw, and then we need to +encrypt it with the same AES password and salt by AES algorithm. +At last, we set a env as below: +export TPM_SRK_ENC_PW=xxxxxxxx +"xxxxxxxx" is the encrypted SRK password for libtpm.so. + +Signed-off-by: Meng Li +--- + e_tpm.c | 157 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++- + e_tpm.h | 4 ++ + e_tpm_err.c | 4 ++ + 3 files changed, 164 insertions(+), 1 deletion(-) + +Index: git/src/e_tpm.c +=================================================================== +--- git.orig/src/e_tpm.c ++++ git/src/e_tpm.c +@@ -259,6 +259,118 @@ void ENGINE_load_tpm(void) + ERR_clear_error(); + } + ++static int tpm_decode_base64(unsigned char *indata, ++ int in_len, ++ unsigned char *outdata, ++ int *out_len) ++{ ++ int total_len, len, ret; ++ EVP_ENCODE_CTX dctx; ++ ++ EVP_DecodeInit(&dctx); ++ ++ total_len = 0; ++ ret = EVP_DecodeUpdate(&dctx, outdata, &len, indata, in_len); ++ if (ret < 0) { ++ TSSerr(TPM_F_TPM_DECODE_BASE64, TPM_R_DECODE_BASE64_FAILED); ++ return 1; ++ } ++ ++ total_len += len; ++ ret = EVP_DecodeFinal(&dctx, outdata, &len); ++ if (ret < 0) { ++ TSSerr(TPM_F_TPM_DECODE_BASE64, TPM_R_DECODE_BASE64_FAILED); ++ return 1; ++ } ++ total_len += len; ++ ++ *out_len = total_len; ++ ++ return 0; ++} ++ ++static int tpm_decrypt_srk_pw(unsigned char *indata, int in_len, ++ unsigned char *outdata, ++ int *out_len) ++{ ++ int dec_data_len, dec_data_lenfinal; ++ unsigned char dec_data[256]; ++ unsigned char *aes_pw; ++ unsigned char aes_salt[PKCS5_SALT_LEN]; ++ unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH]; ++ const EVP_CIPHER *cipher = NULL; ++ const EVP_MD *dgst = NULL; ++ EVP_CIPHER_CTX *ctx = NULL; ++ ++ if (sizeof(SRK_DEC_SALT) - 1 > PKCS5_SALT_LEN) { ++ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED); ++ return 1; ++ } ++ ++ aes_pw = malloc(sizeof(SRK_DEC_PW) - 1); ++ if (aes_pw == NULL) { ++ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED); ++ return 1; ++ } ++ ++ memset(aes_salt, 0x00, sizeof(aes_salt)); ++ memcpy(aes_pw, SRK_DEC_PW, sizeof(SRK_DEC_PW) - 1); ++ memcpy(aes_salt, SRK_DEC_SALT, sizeof(SRK_DEC_SALT) - 1); ++ ++ cipher = EVP_get_cipherbyname("aes-128-cbc"); ++ if (cipher == NULL) { ++ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED); ++ free(aes_pw); ++ return 1; ++ } ++ dgst = EVP_sha256(); ++ ++ EVP_BytesToKey(cipher, dgst, aes_salt, (unsigned char *)aes_pw, sizeof(SRK_DEC_PW) - 1, 1, key, iv); ++ ++ ctx = EVP_CIPHER_CTX_new(); ++ /* Don't set key or IV right away; we want to check lengths */ ++ if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, 0)) { ++ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED); ++ free(aes_pw); ++ return 1; ++ } ++ ++ OPENSSL_assert(EVP_CIPHER_CTX_key_length(ctx) == 16); ++ OPENSSL_assert(EVP_CIPHER_CTX_iv_length(ctx) == 16); ++ ++ if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, 0)) { ++ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED); ++ free(aes_pw); ++ return 1; ++ } ++ ++ if (!EVP_CipherUpdate(ctx, dec_data, &dec_data_len, indata, in_len)) { ++ /* Error */ ++ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED); ++ free(aes_pw); ++ EVP_CIPHER_CTX_free(ctx); ++ return 1; ++ } ++ ++ if (!EVP_CipherFinal_ex(ctx, dec_data + dec_data_len, &dec_data_lenfinal)) { ++ /* Error */ ++ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED); ++ free(aes_pw); ++ EVP_CIPHER_CTX_free(ctx); ++ return 1; ++ } ++ ++ dec_data_len = dec_data_len + dec_data_lenfinal; ++ ++ memcpy(outdata, dec_data, dec_data_len); ++ *out_len = dec_data_len; ++ ++ free(aes_pw); ++ EVP_CIPHER_CTX_free(ctx); ++ ++ return 0; ++} ++ + int tpm_load_srk(UI_METHOD *ui, void *cb_data) + { + TSS_RESULT result; +@@ -319,8 +431,50 @@ int tpm_load_srk(UI_METHOD *ui, void *cb + return 0; + } + +- srkPasswd = getenv("TPM_SRK_PW"); ++ srkPasswd = getenv("TPM_SRK_ENC_PW"); + if (NULL != srkPasswd) { ++ int in_len = strlen(srkPasswd); ++ int out_len; ++ unsigned char *out_buf; ++ ++ if (!in_len || in_len % 4) { ++ Tspi_Context_CloseObject(hContext, hSRK); ++ free(auth); ++ TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED); ++ return 0; ++ } ++ ++ out_len = in_len * 3 / 4; ++ out_buf = malloc(out_len); ++ if (NULL == out_buf) { ++ Tspi_Context_CloseObject(hContext, hSRK); ++ free(auth); ++ TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED); ++ return 0; ++ } ++ ++ if (tpm_decode_base64(srkPasswd, strlen(srkPasswd), ++ out_buf, &out_len)) { ++ Tspi_Context_CloseObject(hContext, hSRK); ++ free(auth); ++ free(out_buf); ++ TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED); ++ return 0; ++ } ++ ++ if (tpm_decrypt_srk_pw(out_buf, out_len, ++ auth, &authlen)) { ++ Tspi_Context_CloseObject(hContext, hSRK); ++ free(auth); ++ free(out_buf); ++ TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED); ++ return 0; ++ } ++ secretMode = TSS_SECRET_MODE_PLAIN; ++ free(out_buf); ++ } ++#ifdef TPM_SRK_PLAIN_PW ++ else if (NULL != (srkPasswd = getenv("TPM_SRK_PW")) { + if (0 == strcmp(srkPasswd, "#WELLKNOWN#")) { + memset(auth, 0, TPM_WELL_KNOWN_KEY_LEN); + secretMode = TSS_SECRET_MODE_SHA1; +@@ -333,6 +487,7 @@ int tpm_load_srk(UI_METHOD *ui, void *cb + authlen = strlen(auth); + } + } ++#endif + else { + if (!tpm_engine_get_auth(ui, (char *)auth, 128, + "SRK authorization: ", cb_data)) { +Index: git/src/e_tpm.h +=================================================================== +--- git.orig/src/e_tpm.h ++++ git/src/e_tpm.h +@@ -66,6 +66,8 @@ void ERR_TSS_error(int function, int rea + #define TPM_F_TPM_FILL_RSA_OBJECT 116 + #define TPM_F_TPM_ENGINE_GET_AUTH 117 + #define TPM_F_TPM_CREATE_SRK_POLICY 118 ++#define TPM_F_TPM_DECODE_BASE64 119 ++#define TPM_F_TPM_DECRYPT_SRK_PW 120 + + /* Reason codes. */ + #define TPM_R_ALREADY_LOADED 100 +@@ -96,6 +98,8 @@ void ERR_TSS_error(int function, int rea + #define TPM_R_ID_INVALID 125 + #define TPM_R_UI_METHOD_FAILED 126 + #define TPM_R_UNKNOWN_SECRET_MODE 127 ++#define TPM_R_DECODE_BASE64_FAILED 128 ++#define TPM_R_DECRYPT_SRK_PW_FAILED 129 + + /* structure pointed to by the RSA object's app_data pointer */ + struct rsa_app_data +Index: git/src/e_tpm_err.c +=================================================================== +--- git.orig/src/e_tpm_err.c ++++ git/src/e_tpm_err.c +@@ -234,6 +234,8 @@ static ERR_STRING_DATA TPM_str_functs[] + {ERR_PACK(0, TPM_F_TPM_BIND_FN, 0), "TPM_BIND_FN"}, + {ERR_PACK(0, TPM_F_TPM_FILL_RSA_OBJECT, 0), "TPM_FILL_RSA_OBJECT"}, + {ERR_PACK(0, TPM_F_TPM_ENGINE_GET_AUTH, 0), "TPM_ENGINE_GET_AUTH"}, ++ {ERR_PACK(0, TPM_F_TPM_DECODE_BASE64, 0), "TPM_DECODE_BASE64"}, ++ {ERR_PACK(0, TPM_F_TPM_DECRYPT_SRK_PW, 0), "TPM_DECRYPT_SRK_PW"}, + {0, NULL} + }; + +@@ -264,6 +266,8 @@ static ERR_STRING_DATA TPM_str_reasons[] + {TPM_R_FILE_READ_FAILED, "failed reading the key file"}, + {TPM_R_ID_INVALID, "engine id doesn't match"}, + {TPM_R_UI_METHOD_FAILED, "ui function failed"}, ++ {TPM_R_DECODE_BASE64_FAILED, "decode base64 failed"}, ++ {TPM_R_DECRYPT_SRK_PW_FAILED, "decrypt srk password failed"}, + {0, NULL} + }; + diff --git a/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch b/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch new file mode 100644 index 0000000..535472a --- /dev/null +++ b/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch @@ -0,0 +1,31 @@ +From fb44e2814fd819c086f9a4c925427f89c0e8cec6 Mon Sep 17 00:00:00 2001 +From: Limeng +Date: Fri, 21 Jul 2017 16:32:02 +0800 +Subject: [PATCH] tpm:openssl-tpm-engine: change variable c type from char + into int + +refer to getopt_long() function definition, its return value type is +int. So, change variable c type from char into int. +On arm platform, when getopt_long() calling fails, if we define c as +char type, its value will be 255, not -1. This will cause code enter +wrong case. + +Signed-off-by: Meng Li +--- + create_tpm_key.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +Index: git/src/create_tpm_key.c +=================================================================== +--- git.orig/src/create_tpm_key.c ++++ git/src/create_tpm_key.c +@@ -155,7 +155,8 @@ int main(int argc, char **argv) + ASN1_OCTET_STRING *blob_str; + unsigned char *blob_asn1 = NULL; + int asn1_len; +- char *filename, c, *openssl_key = NULL; ++ char *filename, *openssl_key = NULL; ++ int c; + int option_index, auth = 0, popup = 0, wrap = 0; + int wellknownkey = 0; + UINT32 enc_scheme = TSS_ES_RSAESPKCSV15; diff --git a/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/openssl11_build_fix.patch b/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/openssl11_build_fix.patch new file mode 100644 index 0000000..2f8eb81 --- /dev/null +++ b/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/openssl11_build_fix.patch @@ -0,0 +1,34 @@ +Fix compiling for openssl 1.1 + +Upstream-Status: Pending +Signed-off-by: Armin Kuster + +Index: git/src/e_tpm.c +=================================================================== +--- git.orig/src/e_tpm.c ++++ git/src/e_tpm.c +@@ -265,19 +265,20 @@ static int tpm_decode_base64(unsigned ch + int *out_len) + { + int total_len, len, ret; +- EVP_ENCODE_CTX dctx; ++ EVP_ENCODE_CTX *dctx; + +- EVP_DecodeInit(&dctx); ++ dctx = EVP_ENCODE_CTX_new(); ++ EVP_DecodeInit(dctx); + + total_len = 0; +- ret = EVP_DecodeUpdate(&dctx, outdata, &len, indata, in_len); ++ ret = EVP_DecodeUpdate(dctx, outdata, &len, indata, in_len); + if (ret < 0) { + TSSerr(TPM_F_TPM_DECODE_BASE64, TPM_R_DECODE_BASE64_FAILED); + return 1; + } + + total_len += len; +- ret = EVP_DecodeFinal(&dctx, outdata, &len); ++ ret = EVP_DecodeFinal(dctx, outdata, &len); + if (ret < 0) { + TSSerr(TPM_F_TPM_DECODE_BASE64, TPM_R_DECODE_BASE64_FAILED); + return 1; diff --git a/meta-tpm/recipes-tpm1/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb b/meta-tpm/recipes-tpm1/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb new file mode 100644 index 0000000..e3e643e --- /dev/null +++ b/meta-tpm/recipes-tpm1/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb @@ -0,0 +1,65 @@ +DESCRIPTION = "OpenSSL secure engine based on TPM hardware" +HOMEPAGE = "https://github.com/mgerstner/openssl_tpm_engine" +SECTION = "security/tpm" + +LICENSE = "OpenSSL" +LIC_FILES_CHKSUM = "file://LICENSE;md5=11f0ee3af475c85b907426e285c9bb52" + +DEPENDS += "openssl trousers" + +SRC_URI = "\ + git://github.com/mgerstner/openssl_tpm_engine.git;branch=master;protocol=https \ + file://0001-create-tpm-key-support-well-known-key-option.patch \ + file://0002-libtpm-support-env-TPM_SRK_PW.patch \ + file://0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch \ + file://0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch \ + file://openssl11_build_fix.patch \ +" +SRCREV = "b28de5065e6eb9aa5d5afe2276904f7624c2cbaf" + +S = "${WORKDIR}/git" + +inherit autotools-brokensep pkgconfig + +# The definitions below are used to decrypt the srk password. +# It is allowed to define the values in 3 forms: string, hex number and +# the hybrid, e.g, +# srk_dec_pw = "incendia" +# srk_dec_pw = "\x69\x6e\x63\x65\x6e\x64\x69\x61" +# srk_dec_pw = "\x1""nc""\x3""nd""\x1""a" +# +# Due to the limit of escape character, the hybrid must be written in +# above style. The actual values defined below in C code style are: +# srk_dec_pw[] = { 0x01, 'n', 'c', 0x03, 'n', 'd', 0x01, 'a' }; +# srk_dec_salt[] = { 'r', 0x00, 0x00, 't' }; +srk_dec_pw ?= "\\"\\\x1\\"\\"nc\\"\\"\\\x3\\"\\"nd\\"\\"\\\x1\\"\\"a\\"" +srk_dec_salt ?= "\\"r\\"\\"\\\x00\\\x00\\"\\"t\\"" + +CFLAGS:append = " -DSRK_DEC_PW=${srk_dec_pw} -DSRK_DEC_SALT=${srk_dec_salt}" + +# Uncomment below line if using the plain srk password for development +#CFLAGS:append = " -DTPM_SRK_PLAIN_PW" + +do_configure:prepend() { + cd ${B} + cp LICENSE COPYING + touch NEWS AUTHORS ChangeLog README +} + +FILES:${PN}-staticdev += "${libdir}/ssl/engines-3/tpm.la" +FILES:${PN}-dbg += "\ + ${libdir}/ssl/engines-3/.debug \ + ${libdir}/engines-3/.debug \ + ${prefix}/local/ssl/lib/engines-3/.debug \ +" +FILES:${PN} += "\ + ${libdir}/ssl/engines-3/tpm.so* \ + ${libdir}/engines-3/tpm.so* \ + ${libdir}/libtpm.so* \ + ${prefix}/local/ssl/lib/engines-3/tpm.so* \ +" + +RDEPENDS:${PN} += "libcrypto libtspi" + +INSANE_SKIP:${PN} = "libdir" +INSANE_SKIP:${PN}-dbg = "libdir" diff --git a/meta-tpm/recipes-tpm1/pcr-extend/files/fix_openssl11_build.patch b/meta-tpm/recipes-tpm1/pcr-extend/files/fix_openssl11_build.patch new file mode 100644 index 0000000..cf2d437 --- /dev/null +++ b/meta-tpm/recipes-tpm1/pcr-extend/files/fix_openssl11_build.patch @@ -0,0 +1,45 @@ +Enable building with openssl 1.1 + +Upstream-Status: Pending +Signed-off-by: Armin Kuster + +Index: git/src/pcr-extend.c +=================================================================== +--- git.orig/src/pcr-extend.c ++++ git/src/pcr-extend.c +@@ -118,7 +118,7 @@ dump_buf (FILE *file, char *buf, size_t + static unsigned char* + sha1_file (FILE *file, unsigned int *hash_len) + { +- EVP_MD_CTX ctx = { 0 }; ++ EVP_MD_CTX *ctx = EVP_MD_CTX_new(); + unsigned char *buf = NULL, *hash = NULL; + size_t num_read = 0; + +@@ -127,7 +127,7 @@ sha1_file (FILE *file, unsigned int *has + perror ("malloc:\n"); + goto sha1_fail; + } +- if (EVP_DigestInit (&ctx, EVP_sha1 ()) == 0) { ++ if (EVP_DigestInit (ctx, EVP_sha1 ()) == 0) { + ERR_print_errors_fp (stderr); + goto sha1_fail; + } +@@ -135,7 +135,7 @@ sha1_file (FILE *file, unsigned int *has + num_read = fread (buf, 1, BUF_SIZE, file); + if (num_read <= 0) + break; +- if (EVP_DigestUpdate (&ctx, buf, num_read) == 0) { ++ if (EVP_DigestUpdate (ctx, buf, num_read) == 0) { + ERR_print_errors_fp (stderr); + goto sha1_fail; + } +@@ -149,7 +149,7 @@ sha1_file (FILE *file, unsigned int *has + perror ("calloc of hash buffer:\n"); + goto sha1_fail; + } +- if (EVP_DigestFinal (&ctx, hash, hash_len) == 0) { ++ if (EVP_DigestFinal (ctx, hash, hash_len) == 0) { + ERR_print_errors_fp (stderr); + goto sha1_fail; + } diff --git a/meta-tpm/recipes-tpm1/pcr-extend/pcr-extend_git.bb b/meta-tpm/recipes-tpm1/pcr-extend/pcr-extend_git.bb new file mode 100644 index 0000000..45da416 --- /dev/null +++ b/meta-tpm/recipes-tpm1/pcr-extend/pcr-extend_git.bb @@ -0,0 +1,26 @@ +SUMMARY = "Command line utility to extend hash of arbitrary data into a TPMs PCR." +HOMEPAGE = "https://github.com/flihp/pcr-extend" +SECTION = "security/tpm" +LICENSE = "GPL-2.0-only" +LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" + +DEPENDS = "libtspi" + +PV = "0.1+git${SRCPV}" +SRCREV = "c02ad8f628b3d99f6d4c087b402fe31a40ee6316" + +SRC_URI = "git://github.com/flihp/pcr-extend.git;branch=master;protocol=https \ + file://fix_openssl11_build.patch " + +inherit autotools + +S = "${WORKDIR}/git" + +do_compile() { + oe_runmake -C ${S}/src +} + +do_install() { + install -d ${D}${bindir} + oe_runmake -C ${S}/src DESTDIR="${D}" install +} diff --git a/meta-tpm/recipes-tpm1/swtpm/files/fix_fcntl_h.patch b/meta-tpm/recipes-tpm1/swtpm/files/fix_fcntl_h.patch new file mode 100644 index 0000000..3d16431 --- /dev/null +++ b/meta-tpm/recipes-tpm1/swtpm/files/fix_fcntl_h.patch @@ -0,0 +1,31 @@ +From 8750a6c3f0b4d9e7e45b4079150d29eb44774e9c Mon Sep 17 00:00:00 2001 +From: Armin Kuster +Date: Tue, 14 Mar 2017 22:59:36 -0700 +Subject: [PATCH 2/4] logging: Fix musl build issue with fcntl + + error: #warning redirecting incorrect #include to [-Werror=cpp] + #warning redirecting incorrect #include to + +--- + src/swtpm/logging.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/swtpm/logging.c b/src/swtpm/logging.c +index f16cab6..7da8606 100644 +--- a/src/swtpm/logging.c ++++ b/src/swtpm/logging.c +@@ -45,7 +45,7 @@ + #include + #include + #include +-#include ++#include + #include + #include + #include +-- +2.11.0 + diff --git a/meta-tpm/recipes-tpm1/swtpm/files/fix_lib_search_path.patch b/meta-tpm/recipes-tpm1/swtpm/files/fix_lib_search_path.patch new file mode 100644 index 0000000..60958f7 --- /dev/null +++ b/meta-tpm/recipes-tpm1/swtpm/files/fix_lib_search_path.patch @@ -0,0 +1,66 @@ +From 672bb4ee625da3141ba6cecb0601c7563de4c483 Mon Sep 17 00:00:00 2001 +From: Armin Kuster +Date: Thu, 13 Oct 2016 02:03:56 -0700 +Subject: [PATCH 1/4] swtpm: add new package + +Upstream-Status: Inappropriate [OE config] + +Signed-off-by: Armin Kuster + +Rebased to current tip. + +Signed-off-by: Patrick Ohly + +--- + configure.ac | 34 ++++++++++------------------------ + 1 file changed, 10 insertions(+), 24 deletions(-) + +diff --git a/configure.ac b/configure.ac +index abf5be1..85ed6ac 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -395,31 +395,17 @@ CFLAGS="$CFLAGS -Wformat -Wformat-security" + dnl We have to make sure libtpms is using the same crypto library + dnl to avoid problems + AC_MSG_CHECKING([the crypto library libtpms is using]) +-dirs=$($CC $CFLAGS -Xlinker --verbose 2>/dev/null | \ +- sed -n '/SEARCH_DIR/p' | \ +- sed 's/SEARCH_DIR("\(@<:@^"@:>@*\)"); */\1 /g' | \ +- sed 's|=/|/|g') +-for dir in $dirs $LIBRARY_PATH; do +- if test -r $dir/libtpms.so; then +- if test -n "`ldd $dir/libtpms.so | grep libcrypto.so`"; then +- libtpms_cryptolib="openssl" +- break +- fi +- if test -n "`ldd $dir/libtpms.so | grep libnss3.so`"; then +- libtpms_cryptolib="freebl" +- break +- fi ++dir="$SEARCH_DIR" ++if test -r $dir/libtpms.so; then ++ if test -n "`ldd $dir/libtpms.so | grep libcrypto.so`"; then ++ libtpms_cryptolib="openssl" ++ break + fi +- case $host_os in +- cygwin|openbsd*) +- if test -r $dir/libtpms.a; then +- if test -n "$(nm $dir/libtpms.a | grep "U AES_encrypt")"; then +- libtpms_cryptolib="openssl" +- fi +- fi +- ;; +- esac +-done ++ if test -n "`ldd $dir/libtpms.so | grep libnss3.so`"; then ++ libtpms_cryptolib="freebl" ++ break ++ fi ++fi + + if test -z "$libtpms_cryptolib"; then + AC_MSG_ERROR([Could not determine libtpms crypto library.]) +-- +2.11.0 + diff --git a/meta-tpm/recipes-tpm1/swtpm/swtpm-wrappers-native.bb b/meta-tpm/recipes-tpm1/swtpm/swtpm-wrappers-native.bb new file mode 100644 index 0000000..bb93374 --- /dev/null +++ b/meta-tpm/recipes-tpm1/swtpm/swtpm-wrappers-native.bb @@ -0,0 +1,49 @@ +SUMMARY = "SWTPM - OpenEmbedded wrapper scripts for native swtpm tools" +LICENSE = "MIT" +DEPENDS = "swtpm-native" + +inherit native + +# The whole point of the recipe is to make files available +# for use after the build is done, so don't clean up... +RM_WORK_EXCLUDE += "${PN}" + +do_create_wrapper () { + # Wrap (almost) all swtpm binaries. Some get special wrappers and some + # are not needed. + for i in `find ${bindir} ${base_bindir} ${sbindir} ${base_sbindir} -name 'swtpm*' -perm /+x -type f`; do + exe=`basename $i` + case $exe in + swtpm_setup) + cat >${WORKDIR}/swtpm_setup_oe.sh <${WORKDIR}/${exe}_oe.sh < +Bug-Debian: http://bugs.debian.org/753063 + +Upstream-Status: Backport +tpm-tools_1.3.9.1-0.1.debian.tar + +Signed-off-by: Armin kuster + +--- tpm-tools-1.3.8/src/tpm_mgmt/tpm_present.c 2012-05-17 21:49:58.000000000 +0400 ++++ tpm-tools-1.3.8-my/src/tpm_mgmt/tpm_present.c 2014-06-29 01:01:11.502081468 +0400 +@@ -165,7 +165,7 @@ + + TSS_BOOL bCmd, bHwd; + BOOL bRc; +- TSS_HPOLICY hTpmPolicy; ++ TSS_HPOLICY hTpmPolicy = 0; + char *pwd = NULL; + int pswd_len; + char rsp[5]; +--- tpm-tools-1.3.8/src/tpm_mgmt/tpm_takeownership.c 2010-09-30 21:28:09.000000000 +0400 ++++ tpm-tools-1.3.8-my/src/tpm_mgmt/tpm_takeownership.c 2014-06-29 01:01:51.069373655 +0400 +@@ -67,7 +67,7 @@ + char *szSrkPasswd = NULL; + int tpm_len, srk_len; + TSS_HTPM hTpm; +- TSS_HKEY hSrk; ++ TSS_HKEY hSrk = 0; + TSS_FLAG fSrkAttrs; + TSS_HPOLICY hTpmPolicy, hSrkPolicy; + int iRc = -1; +--- tpm-tools-1.3.8/src/tpm_mgmt/tpm_nvwrite.c 2011-08-17 16:20:35.000000000 +0400 ++++ tpm-tools-1.3.8-my/src/tpm_mgmt/tpm_nvwrite.c 2014-06-29 01:02:45.836397172 +0400 +@@ -220,7 +220,7 @@ + close(fd); + fd = -1; + } else if (fillvalue >= 0) { +- if (length < 0) { ++ if (length == 0) { + logError(_("Requiring size parameter.\n")); + return -1; + } +--- tpm-tools-1.3.8/src/data_mgmt/data_protect.c 2012-05-17 21:49:58.000000000 +0400 ++++ tpm-tools-1.3.8-my/src/data_mgmt/data_protect.c 2014-06-29 01:03:49.863254459 +0400 +@@ -432,8 +432,8 @@ + + char *pszPin = NULL; + +- CK_RV rv; +- CK_SESSION_HANDLE hSession; ++ CK_RV rv = 0; ++ CK_SESSION_HANDLE hSession = 0; + CK_OBJECT_HANDLE hObject; + CK_MECHANISM tMechanism = { CKM_AES_ECB, NULL, 0 }; + diff --git a/meta-tpm/recipes-tpm1/tpm-tools/files/openssl1.1_fix.patch b/meta-tpm/recipes-tpm1/tpm-tools/files/openssl1.1_fix.patch new file mode 100644 index 0000000..9ae3f72 --- /dev/null +++ b/meta-tpm/recipes-tpm1/tpm-tools/files/openssl1.1_fix.patch @@ -0,0 +1,18 @@ +Upstream-Status: Pending +Update to build with openssl 1.1.x + +Signed-off-by: Armin Kuster + +Index: git/src/cmds/tpm_extendpcr.c +=================================================================== +--- git.orig/src/cmds/tpm_extendpcr.c ++++ git/src/cmds/tpm_extendpcr.c +@@ -136,7 +136,7 @@ int main(int argc, char **argv) + + unsigned char msg[EVP_MAX_MD_SIZE]; + unsigned int msglen; +- EVP_MD_CTX ctx; ++ EVP_MD_CTX *ctx = EVP_MD_CTX_new(); + EVP_DigestInit(&ctx, EVP_sha1()); + while ((lineLen = BIO_read(bin, line, sizeof(line))) > 0) + EVP_DigestUpdate(&ctx, line, lineLen); diff --git a/meta-tpm/recipes-tpm1/tpm-tools/files/tpm-tools-extendpcr.patch b/meta-tpm/recipes-tpm1/tpm-tools/files/tpm-tools-extendpcr.patch new file mode 100644 index 0000000..40150af --- /dev/null +++ b/meta-tpm/recipes-tpm1/tpm-tools/files/tpm-tools-extendpcr.patch @@ -0,0 +1,244 @@ +Index: git/include/tpm_tspi.h +=================================================================== +--- git.orig/include/tpm_tspi.h ++++ git/include/tpm_tspi.h +@@ -117,6 +117,10 @@ TSS_RESULT tpmPcrRead(TSS_HTPM a_hTpm, U + UINT32 *a_PcrSize, BYTE **a_PcrValue); + TSS_RESULT pcrcompositeSetPcrValue(TSS_HPCRS a_hPcrs, UINT32 a_Idx, + UINT32 a_PcrSize, BYTE *a_PcrValue); ++TSS_RESULT tpmPcrExtend(TSS_HTPM a_hTpm, UINT32 a_Idx, ++ UINT32 a_DataSize, BYTE *a_Data, ++ TSS_PCR_EVENT *a_Event, ++ UINT32 *a_PcrSize, BYTE **a_PcrValue); + #ifdef TSS_LIB_IS_12 + TSS_RESULT unloadVersionInfo(UINT64 *offset, BYTE *blob, TPM_CAP_VERSION_INFO *v); + TSS_RESULT pcrcompositeSetPcrLocality(TSS_HPCRS a_hPcrs, UINT32 localityValue); +Index: git/lib/tpm_tspi.c +=================================================================== +--- git.orig/lib/tpm_tspi.c ++++ git/lib/tpm_tspi.c +@@ -594,6 +594,20 @@ pcrcompositeSetPcrValue(TSS_HPCRS a_hPcr + return result; + } + ++TSS_RESULT ++tpmPcrExtend(TSS_HTPM a_hTpm, UINT32 a_Idx, ++ UINT32 a_DataSize, BYTE *a_Data, ++ TSS_PCR_EVENT *a_Event, ++ UINT32 *a_PcrSize, BYTE **a_PcrValue) ++{ ++ TSS_RESULT result = ++ Tspi_TPM_PcrExtend(a_hTpm, a_Idx, a_DataSize, a_Data, a_Event, ++ a_PcrSize, a_PcrValue); ++ tspiResult("Tspi_TPM_PcrExtend", result); ++ ++ return result; ++} ++ + #ifdef TSS_LIB_IS_12 + /* + * These getPasswd functions will wrap calls to the other functions and check to see if the TSS +Index: git/src/cmds/Makefile.am +=================================================================== +--- git.orig/src/cmds/Makefile.am ++++ git/src/cmds/Makefile.am +@@ -22,6 +22,7 @@ + # + + bin_PROGRAMS = tpm_sealdata \ ++ tpm_extendpcr \ + tpm_unsealdata + + if TSS_LIB_IS_12 +@@ -33,4 +34,5 @@ endif + LDADD = $(top_builddir)/lib/libtpm_tspi.la -ltspi $(top_builddir)/lib/libtpm_unseal.la -ltpm_unseal -lcrypto @INTLLIBS@ + + tpm_sealdata_SOURCES = tpm_sealdata.c ++tpm_extendpcr_SOURCES = tpm_extendpcr.c + tpm_unsealdata_SOURCES = tpm_unsealdata.c +Index: git/src/cmds/tpm_extendpcr.c +=================================================================== +--- /dev/null ++++ git/src/cmds/tpm_extendpcr.c +@@ -0,0 +1,181 @@ ++/* ++ * The Initial Developer of the Original Code is International ++ * Business Machines Corporation. Portions created by IBM ++ * Corporation are Copyright (C) 2005, 2006 International Business ++ * Machines Corporation. All Rights Reserved. ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the Common Public License as published by ++ * IBM Corporation; either version 1 of the License, or (at your option) ++ * any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * Common Public License for more details. ++ * ++ * You should have received a copy of the Common Public License ++ * along with this program; if not, a copy can be viewed at ++ * http://www.opensource.org/licenses/cpl1.0.php. ++ */ ++#include ++#include ++#include ++#include "tpm_tspi.h" ++#include "tpm_utils.h" ++#include "tpm_seal.h" ++ ++// #define TPM_EXTENDPCR_DEBUG ++ ++static void help(const char *aCmd) ++{ ++ logCmdHelp(aCmd); ++ logCmdOption("-i, --infile FILE", ++ _ ++ ("Filename containing data to extend PCRs with. Default is STDIN.")); ++ logCmdOption("-p, --pcr NUMBER", ++ _("PCR to extend.")); ++ ++} ++ ++static char in_filename[PATH_MAX] = ""; ++static TSS_HPCRS hPcrs = NULL_HPCRS; ++static TSS_HTPM hTpm; ++static UINT32 selectedPcrs[24]; ++static UINT32 selectedPcrsLen = 0; ++TSS_HCONTEXT hContext = 0; ++ ++static int parse(const int aOpt, const char *aArg) ++{ ++ int rc = -1; ++ ++ switch (aOpt) { ++ case 'i': ++ if (aArg) { ++ strncpy(in_filename, aArg, PATH_MAX); ++ rc = 0; ++ } ++ break; ++ case 'p': ++ if (aArg) { ++ selectedPcrs[selectedPcrsLen++] = atoi(aArg); ++ rc = 0; ++ } ++ break; ++ default: ++ break; ++ } ++ return rc; ++ ++} ++ ++int main(int argc, char **argv) ++{ ++ ++ int iRc = -1; ++ struct option opts[] = { ++ {"infile", required_argument, NULL, 'i'}, ++ {"pcr", required_argument, NULL, 'p'}, ++ }; ++ unsigned char line[EVP_MD_block_size(EVP_sha1()) * 16]; ++ int lineLen; ++ UINT32 i; ++ ++ BIO *bin = NULL; ++ ++ initIntlSys(); ++ ++ if (genericOptHandler(argc, argv, "i:p:", opts, ++ sizeof(opts) / sizeof(struct option), parse, ++ help) != 0) ++ goto out; ++ ++ if (contextCreate(&hContext) != TSS_SUCCESS) ++ goto out; ++ ++ if (contextConnect(hContext) != TSS_SUCCESS) ++ goto out_close; ++ ++ if (contextGetTpm(hContext, &hTpm) != TSS_SUCCESS) ++ goto out_close; ++ ++ /* Create a BIO for the input file */ ++ if ((bin = BIO_new(BIO_s_file())) == NULL) { ++ logError(_("Unable to open input BIO\n")); ++ goto out_close; ++ } ++ ++ /* Assign the input file to the BIO */ ++ if (strlen(in_filename) == 0) ++ BIO_set_fp(bin, stdin, BIO_NOCLOSE); ++ else if (!BIO_read_filename(bin, in_filename)) { ++ logError(_("Unable to open input file: %s\n"), ++ in_filename); ++ goto out_close; ++ } ++ ++ /* Create the PCRs object. If any PCRs above 15 are selected, this will need to be ++ * a 1.2 TSS/TPM */ ++ if (selectedPcrsLen) { ++ TSS_FLAG initFlag = 0; ++ UINT32 pcrSize; ++ BYTE *pcrValue; ++ ++ for (i = 0; i < selectedPcrsLen; i++) { ++ if (selectedPcrs[i] > 15) { ++#ifdef TSS_LIB_IS_12 ++ initFlag |= TSS_PCRS_STRUCT_INFO_LONG; ++#else ++ logError(_("This version of %s was compiled for a v1.1 TSS, which " ++ "can only seal\n data to PCRs 0-15. PCR %u is out of range" ++ "\n"), argv[0], selectedPcrs[i]); ++ goto out_close; ++#endif ++ } ++ } ++ ++ unsigned char msg[EVP_MAX_MD_SIZE]; ++ unsigned int msglen; ++ EVP_MD_CTX ctx; ++ EVP_DigestInit(&ctx, EVP_sha1()); ++ while ((lineLen = BIO_read(bin, line, sizeof(line))) > 0) ++ EVP_DigestUpdate(&ctx, line, lineLen); ++ EVP_DigestFinal(&ctx, msg, &msglen); ++ ++ if (contextCreateObject(hContext, TSS_OBJECT_TYPE_PCRS, initFlag, ++ &hPcrs) != TSS_SUCCESS) ++ goto out_close; ++ ++ for (i = 0; i < selectedPcrsLen; i++) { ++#ifdef TPM_EXTENDPCR_DEBUG ++ if (tpmPcrRead(hTpm, selectedPcrs[i], &pcrSize, &pcrValue) != TSS_SUCCESS) ++ goto out_close; ++ ++ unsigned int j; ++ for (j = 0; j < pcrSize; j++) ++ printf("%02X ", pcrValue[j]); ++ printf("\n"); ++#endif ++ ++ if (tpmPcrExtend(hTpm, selectedPcrs[i], msglen, msg, NULL, &pcrSize, &pcrValue) != TSS_SUCCESS) ++ goto out_close; ++ ++#ifdef TPM_EXTENDPCR_DEBUG ++ for (j = 0; j < pcrSize; j++) ++ printf("%02X ", pcrValue[j]); ++ printf("\n"); ++#endif ++ } ++ } ++ ++ iRc = 0; ++ logSuccess(argv[0]); ++ ++out_close: ++ contextClose(hContext); ++ ++out: ++ if (bin) ++ BIO_free(bin); ++ return iRc; ++} diff --git a/meta-tpm/recipes-tpm1/tpm-tools/tpm-tools_1.3.9.2.bb b/meta-tpm/recipes-tpm1/tpm-tools/tpm-tools_1.3.9.2.bb new file mode 100644 index 0000000..b47d53a --- /dev/null +++ b/meta-tpm/recipes-tpm1/tpm-tools/tpm-tools_1.3.9.2.bb @@ -0,0 +1,35 @@ +SUMMARY = "The tpm-tools package contains commands to allow the platform administrator the ability to manage and diagnose the platform's TPM." +DESCRIPTION = " \ + The tpm-tools package contains commands to allow the platform administrator \ + the ability to manage and diagnose the platform's TPM. Additionally, the \ + package contains commands to utilize some of the capabilities available \ + in the TPM PKCS#11 interface implemented in the openCryptoki project. \ + " +SECTION = "tpm" +LICENSE = "CPL-1.0" +LIC_FILES_CHKSUM = "file://LICENSE;md5=059e8cd6165cb4c31e351f2b69388fd9" + +DEPENDS = "libtspi openssl perl-native" +DEPENDS:class-native = "trousers-native" + +SRCREV = "bf43837575c5f7d31865562dce7778eae970052e" +SRC_URI = " \ + git://git.code.sf.net/p/trousers/tpm-tools;branch=master \ + file://tpm-tools-extendpcr.patch \ + file://04-fix-FTBFS-clang.patch \ + file://openssl1.1_fix.patch \ + " + +inherit autotools-brokensep gettext + +S = "${WORKDIR}/git" + +do_configure:prepend () { + mkdir -p po + mkdir -p m4 + cp -R po_/* po/ + touch po/Makefile.in.in + touch m4/Makefile.am +} + +BBCLASSEXTEND = "native" diff --git a/meta-tpm/recipes-tpm1/trousers/files/0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch b/meta-tpm/recipes-tpm1/trousers/files/0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch new file mode 100644 index 0000000..7b3cc77 --- /dev/null +++ b/meta-tpm/recipes-tpm1/trousers/files/0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch @@ -0,0 +1,68 @@ +From 3396fc7a184293c23135161f034802062f7f3816 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Andr=C3=A9=20Draszik?= +Date: Wed, 1 Nov 2017 11:41:48 +0000 +Subject: [PATCH] build: don't override --localstatedir --mandir --sysconfdir +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +It is currently impossible to override localstatedir, +mandir and sysconfdir during ./configure, because they +are being overriden unconditionally because of they +way trousers is built using rpmbuild. + +If they need massaging for rpmbuild, the values should +be specified inside the spec file, not in ./configure +and thereby overriding user-requested values. + +With this patch it is now possible to set above +locations as needed. The .spec file is being modified +as well so as to restore previous behaviour. + +Signed-off-by: André Draszik +--- +Upstream-Status: Submitted [https://sourceforge.net/p/trousers/mailman/message/36099290/] +Signed-off-by: André Draszik + configure.ac | 11 ++--------- + dist/trousers.spec.in | 2 +- + 2 files changed, 3 insertions(+), 10 deletions(-) + +diff --git a/configure.ac b/configure.ac +index b9626af..7fe5f8e 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -376,16 +376,9 @@ CFLAGS="$CFLAGS -I../include \ + KERNEL_VERSION=`uname -r` + AC_SUBST(CFLAGS) + +-# When we build the rpms, prefix will be /usr. This'll do some things that make sense, +-# like put our sbin stuff in /usr/sbin and our library in /usr/lib. It'll do some other +-# things that don't make sense like put our config file in /usr/etc. So, I'll just hack +-# it here. If the --prefix option isn't specified during configure, let it all go to ++# If the --prefix option isn't specified during configure, let it all go to + # /usr/local, even /usr/local/etc. :-P +-if test x"${prefix}" = x"/usr"; then +- sysconfdir="/etc" +- localstatedir="/var" +- mandir="/usr/share/man" +-elif test x"${prefix}" = x"NONE"; then ++if test x"${prefix}" = x"NONE"; then + localstatedir="/usr/local/var" + fi + +diff --git a/dist/trousers.spec.in b/dist/trousers.spec.in +index b298b0e..10ef178 100644 +--- a/dist/trousers.spec.in ++++ b/dist/trousers.spec.in +@@ -45,7 +45,7 @@ applications. + + %build + %{?arch64:export PKG_CONFIG_PATH=%{pkgconfig_path}:$PKG_CONFIG_PATH} +-./configure --prefix=/usr --libdir=%{_libdir} ++./configure --prefix=/usr --libdir=%{_libdir} --sysconfdir=/etc --localstatedir=/var --mandir=/usr/share/man + make + + %clean +-- +2.15.0.rc1 + diff --git a/meta-tpm/recipes-tpm1/trousers/files/get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch b/meta-tpm/recipes-tpm1/trousers/files/get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch new file mode 100644 index 0000000..3f5a144 --- /dev/null +++ b/meta-tpm/recipes-tpm1/trousers/files/get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch @@ -0,0 +1,49 @@ +trousers: fix compiling with musl + +use POSIX getpwent instead of getpwent_r + +Upstream-Status: Submitted + +Signed-off-by: Armin Kuster + +Index: git/src/tspi/ps/tspps.c +=================================================================== +--- git.orig/src/tspi/ps/tspps.c ++++ git/src/tspi/ps/tspps.c +@@ -66,9 +66,6 @@ get_user_ps_path(char **file) + TSS_RESULT result; + char *file_name = NULL, *home_dir = NULL; + struct passwd *pwp; +-#if (defined (__linux) || defined (linux) || defined(__GLIBC__)) +- struct passwd pw; +-#endif + struct stat stat_buf; + char buf[PASSWD_BUFSIZE]; + uid_t euid; +@@ -96,24 +93,15 @@ get_user_ps_path(char **file) + #else + setpwent(); + while (1) { +-#if (defined (__linux) || defined (linux) || defined(__GLIBC__)) +- rc = getpwent_r(&pw, buf, PASSWD_BUFSIZE, &pwp); +- if (rc) { +- LogDebugFn("USER PS: Error getting path to home directory: getpwent_r: %s", +- strerror(rc)); +- endpwent(); +- return TSPERR(TSS_E_INTERNAL_ERROR); +- } +- +-#elif (defined (__FreeBSD__) || defined (__OpenBSD__)) + if ((pwp = getpwent()) == NULL) { + LogDebugFn("USER PS: Error getting path to home directory: getpwent: %s", + strerror(rc)); + endpwent(); ++#if (defined (__FreeBSD__) || defined (__OpenBSD__)) + MUTEX_UNLOCK(user_ps_path); ++#endif + return TSPERR(TSS_E_INTERNAL_ERROR); + } +-#endif + if (euid == pwp->pw_uid) { + home_dir = strdup(pwp->pw_dir); + break; diff --git a/meta-tpm/recipes-tpm1/trousers/files/tcsd.service b/meta-tpm/recipes-tpm1/trousers/files/tcsd.service new file mode 100644 index 0000000..787d4e9 --- /dev/null +++ b/meta-tpm/recipes-tpm1/trousers/files/tcsd.service @@ -0,0 +1,10 @@ +[Unit] +Description=TCG Core Services Daemon +After=syslog.target + +[Service] +Type=forking +ExecStart=@SBINDIR@/tcsd + +[Install] +WantedBy=multi-user.target diff --git a/meta-tpm/recipes-tpm1/trousers/files/trousers-udev.rules b/meta-tpm/recipes-tpm1/trousers/files/trousers-udev.rules new file mode 100644 index 0000000..256babd --- /dev/null +++ b/meta-tpm/recipes-tpm1/trousers/files/trousers-udev.rules @@ -0,0 +1,2 @@ +# trousers daemon expects tpm device to be owned by tss user & group +KERNEL=="tpm[0-9]*", MODE="0600", OWNER="tss", GROUP="tss" diff --git a/meta-tpm/recipes-tpm1/trousers/files/trousers.init.sh b/meta-tpm/recipes-tpm1/trousers/files/trousers.init.sh new file mode 100644 index 0000000..d0d6cb3 --- /dev/null +++ b/meta-tpm/recipes-tpm1/trousers/files/trousers.init.sh @@ -0,0 +1,67 @@ +#!/bin/sh + +### BEGIN INIT INFO +# Provides: tcsd trousers +# Required-Start: $local_fs $remote_fs $network +# Required-Stop: $local_fs $remote_fs $network +# Should-Start: +# Should-Stop: +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: starts tcsd +# Description: tcsd belongs to the TrouSerS TCG Software Stack +### END INIT INFO + +PATH=/sbin:/bin:/usr/sbin:/usr/bin +DAEMON=/usr/sbin/tcsd +NAME=tcsd +DESC="Trusted Computing daemon" +USER="tss" + +test -x "${DAEMON}" || exit 0 + +# Read configuration variable file if it is present +[ -r /etc/default/$NAME ] && . /etc/default/$NAME + +case "${1}" in + start) + echo "Starting $DESC: " + + if [ ! -e /dev/tpm* ] + then + echo "device driver not loaded, skipping." + exit 0 + fi + + start-stop-daemon --start --quiet --oknodo \ + --pidfile /var/run/${NAME}.pid --make-pidfile --background \ + --user ${USER} --chuid ${USER} \ + --exec ${DAEMON} -- ${DAEMON_OPTS} --foreground + RETVAL="$?" + echo "$NAME." + exit $RETVAL + ;; + + stop) + echo "Stopping $DESC: " + + start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/${NAME}.pid --user ${USER} --exec ${DAEMON} + RETVAL="$?" + echo "$NAME." + rm -f /var/run/${NAME}.pid + exit $RETVAL + ;; + + restart|force-reload) + "${0}" stop + sleep 1 + "${0}" start + exit $? + ;; + *) + echo "Usage: ${NAME} {start|stop|restart|force-reload|status}" >&2 + exit 3 + ;; +esac + +exit 0 diff --git a/meta-tpm/recipes-tpm1/trousers/trousers_git.bb b/meta-tpm/recipes-tpm1/trousers/trousers_git.bb new file mode 100644 index 0000000..192c66c --- /dev/null +++ b/meta-tpm/recipes-tpm1/trousers/trousers_git.bb @@ -0,0 +1,120 @@ +SUMMARY = "TrouSerS - An open-source TCG Software Stack implementation." +LICENSE = "BSD-3-Clause" +HOMEPAGE = "http://sourceforge.net/projects/trousers/" +LIC_FILES_CHKSUM = "file://README;startline=3;endline=4;md5=2af28fbed0832e4d83a9e6dd68bb4413" +SECTION = "security/tpm" + +DEPENDS = "openssl" + +SRCREV = "94144b0a1dcef6e31845d6c319e9bd7357208eb9" +PV = "0.3.15+git${SRCPV}" + +SRC_URI = " \ + git://git.code.sf.net/p/trousers/trousers;branch=master \ + file://trousers.init.sh \ + file://trousers-udev.rules \ + file://tcsd.service \ + file://get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch \ + file://0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch \ + " + +S = "${WORKDIR}/git" + +inherit autotools pkgconfig useradd update-rc.d ${@bb.utils.contains('VIRTUAL-RUNTIME_init_manager','systemd','systemd','', d)} + +PACKAGECONFIG ?= "gmp " +PACKAGECONFIG[gmp] = "--with-gmp, --with-gmp=no, gmp" +PACKAGECONFIG[gtk] = "--with-gui=gtk, --with-gui=none, gtk+" + +do_install () { + oe_runmake DESTDIR=${D} install +} + +do_install:append() { + install -d ${D}${sysconfdir}/init.d + install -m 0755 ${WORKDIR}/trousers.init.sh ${D}${sysconfdir}/init.d/trousers + install -d ${D}${sysconfdir}/udev/rules.d + install -m 0644 ${WORKDIR}/trousers-udev.rules ${D}${sysconfdir}/udev/rules.d/45-trousers.rules + + if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then + install -d ${D}${systemd_unitdir}/system + install -m 0644 ${WORKDIR}/tcsd.service ${D}${systemd_unitdir}/system/ + sed -i -e 's#@SBINDIR@#${sbindir}#g' ${D}${systemd_unitdir}/system/tcsd.service + fi +} + +CONFFILES:${PN} += "${sysconfig}/tcsd.conf" + +PROVIDES = "${PACKAGES}" +PACKAGES = " \ + libtspi \ + libtspi-dbg \ + libtspi-dev \ + libtspi-doc \ + libtspi-staticdev \ + trousers \ + trousers-dbg \ + trousers-doc \ + " + +# libtspi needs tcsd for most (all?) operations, so suggest to +# install that. +RRECOMMENDS:libtspi = "${PN}" + +FILES:libtspi = " \ + ${libdir}/*.so.1 \ + ${libdir}/*.so.1.2.0 \ + " +FILES:libtspi-dbg = " \ + ${libdir}/.debug \ + ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/tspi \ + ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/trspi \ + ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/include/*.h \ + ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/include/tss \ + " +FILES:libtspi-dev = " \ + ${includedir} \ + ${libdir}/*.so \ + " +FILES:libtspi-doc = " \ + ${mandir}/man3 \ + " +FILES:libtspi-staticdev = " \ + ${libdir}/*.la \ + ${libdir}/*.a \ + " +FILES:${PN} = " \ + ${sbindir}/tcsd \ + ${sysconfdir} \ + ${localstatedir} \ + " + +FILES:${PN}-dev += "${libdir}/trousers" + +FILES:${PN}-dbg = " \ + ${sbindir}/.debug \ + ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/tcs \ + ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/tcsd \ + ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/tddl \ + ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/trousers \ + ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/include/trousers \ + " +FILES:${PN}-doc = " \ + ${mandir}/man5 \ + ${mandir}/man8 \ + " + +FILES:${PN} += "${systemd_unitdir}/*" + +INITSCRIPT_NAME = "trousers" +INITSCRIPT_PARAMS = "start 99 2 3 4 5 . stop 19 0 1 6 ." + +USERADD_PACKAGES = "${PN}" +GROUPADD_PARAM:${PN} = "--system tss" +USERADD_PARAM:${PN} = "--system -M -d /var/lib/tpm -s /bin/false -g tss tss" + +SYSTEMD_PACKAGES = "${PN}" +SYSTEMD_SERVICE:${PN} = "tcsd.service" +SYSTEMD_AUTO_ENABLE = "disable" + +BBCLASSEXTEND = "native" -- cgit v1.2.3-54-g00ecf