jim.lai/OpenBMC
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Your Name
2026-04-23 17:07:55 +08:00
commit b7e39e063b
16725 changed files with 1625565 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-security/meta-tpm/README
+80
View File
@@ -0,0 +1,80 @@
meta-tpm layer
==============
The bbappend files for some recipes (e.g. linux-yocto) in this layer need
to have 'tpm' in DISTRO_FEATURES to have effect.
To enable them, add in configuration file the following line.
DISTRO_FEATURES:append = " tpm"
If meta-tpm is included, but tpm is not enabled as a
distro feature a warning is printed at parse time:
You have included the meta-tpm layer, but
'tpm' has not been enabled in your DISTRO_FEATURES. Some bbappend files
and preferred version setting may not take effect.
If you know what you are doing, this warning can be disabled by setting the following
variable in your configuration:
SKIP_META_TPM_SANITY_CHECK = 1
This layer contains base TPM recipes.
Dependencies
============
This layer depends on:
URI: git://git.openembedded.org/openembedded-core
branch: master
revision: HEAD
prio: default
URI: git://git.openembedded.org/meta-openembedded/meta-oe
branch: master
revision: HEAD
prio: default
Adding the meta-tpm layer to your build
========================================
In order to use this layer, you need to make the build system aware of
it.
Assuming this layer exists at the top-level of your
yocto build tree, you can add it to the build system by adding the
location of the meta-tpm layer to bblayers.conf, along with any
other layers needed. e.g.:
BBLAYERS ?= " \
/path/to/oe-core/meta \
/path/to/meta-openembedded/meta-oe \
/path/to/layer/meta-tpm \
Maintenance
-----------
Send pull requests, patches, comments or questions to yocto@lists.yoctoproject.org
When sending single patches, please using something like:
'git send-email -1 --to yocto@lists.yoctoproject.org --subject-prefix=meta-security][PATCH'
These values can be set as defaults for this repository:
$ git config sendemail.to yocto@lists.yoctoproject.org
$ git config format.subjectPrefix meta-security][PATCH
Now you can just do 'git send-email origin/master' to send all local patches.
Maintainers: Armin Kuster <akuster808@gmail.com>
License
=======
All metadata is MIT licensed unless otherwise stated. Source code included
in tree for individual recipes is under the LICENSE stated in each recipe
(.bb file) unless otherwise stated.
meta-security/meta-tpm/classes/sanity-meta-tpm.bbclass
+12
View File
@@ -0,0 +1,12 @@
addhandler tpm_machinecheck
tpm_machinecheck[eventmask] = "bb.event.SanityCheck"
python tpm_machinecheck() {
skip_check = e.data.getVar('SKIP_META_TPM_SANITY_CHECK') == "1"
if 'tpm' not in e.data.getVar('DISTRO_FEATURES').split() and \
'tpm2' not in e.data.getVar('DISTRO_FEATURES').split() and \
not skip_check:
bb.warn("You have included the meta-tpm layer, but \
'tpm or tpm2' has not been enabled in your DISTRO_FEATURES. Some bbappend files \
and preferred version setting may not take effect. See the meta-tpm README \
for details on enabling tpm support.")
}
meta-security/meta-tpm/conf/distro/include/maintainers-meta-tpm.inc
+38
View File
@@ -0,0 +1,38 @@
# meta-tpm Maintainers File
#
# This file contains a list of recipe maintainers.
#
# Please submit any patches against recipes in meta to the
# Yocto mail list (yocto@yoctoproject.org)
#
# If you have problems with or questions about a particular recipe, feel
# free to contact the maintainer directly (cc:ing the appropriate mailing list
# puts it in the archive and helps other people who might have the same
# questions in the future), but please try to do the following first:
#
# - look in the Yocto Project Bugzilla
# (http://bugzilla.yoctoproject.org/) to see if a problem has
# already been reported
#
# The format is as a bitbake variable override for each recipe
#
# RECIPE_MAINTAINER:pn-<recipe name> = "Full Name <address@domain>"
#
# Please keep this list in alphabetical order.
RECIPE_MAINTAINER:pn-aircrack-ng = "Armin Kuster <akuster808@gmail.com>"
RECIPE_MAINTAINER:pn-pcr-extend = "Armin Kuster <akuster808@gmail.com>"
RECIPE_MAINTAINER:pn-tpm-quote-tools = "Armin Kuster <akuster808@gmail.com>"
RECIPE_MAINTAINER:pn-libtpm = "Armin Kuster <akuster808@gmail.com>"
RECIPE_MAINTAINER:pn-trousers = "Armin Kuster <akuster808@gmail.com>"
RECIPE_MAINTAINER:pn-swtpm = "Armin Kuster <akuster808@gmail.com>"
RECIPE_MAINTAINER:pn-openssl-tpm-engine = "Armin Kuster <akuster808@gmail.com>"
RECIPE_MAINTAINER:pn-tpm-tools = "Armin Kuster <akuster808@gmail.com>"
RECIPE_MAINTAINER:pn-tpm2-abrmd = "Armin Kuster <akuster808@gmail.com>"
RECIPE_MAINTAINER:pn-tpm2-totp = "Armin Kuster <akuster808@gmail.com>"
RECIPE_MAINTAINER:pn-tpm2-tcti-uefi = "Armin Kuster <akuster808@gmail.com>"
RECIPE_MAINTAINER:pn-tpm2-tss-engine = "Armin Kuster <akuster808@gmail.com>"
RECIPE_MAINTAINER:pn-tpm2-pkcs11 = "Armin Kuster <akuster808@gmail.com>"
RECIPE_MAINTAINER:pn-tpm2-tss = "Armin Kuster <akuster808@gmail.com>"
RECIPE_MAINTAINER:pn-tpm2-tools = "Armin Kuster <akuster808@gmail.com>"
RECIPE_MAINTAINER:pn-ibmswtpm2 = "Armin Kuster <akuster808@gmail.com>"
meta-security/meta-tpm/conf/layer.conf
+28
View File
@@ -0,0 +1,28 @@
# We have a conf and classes directory, add to BBPATH
BBPATH .= ":${LAYERDIR}"
# We have a recipes directory, add to BBFILES
BBFILES += "${LAYERDIR}/recipes*/*/*.bb ${LAYERDIR}/recipes*/*/*.bbappend"
BBFILE_COLLECTIONS += "tpm-layer"
BBFILE_PATTERN_tpm-layer = "^${LAYERDIR}/"
BBFILE_PRIORITY_tpm-layer = "6"
LAYERSERIES_COMPAT_tpm-layer = "mickledore"
LAYERDEPENDS_tpm-layer = " \
core \
openembedded-layer \
meta-python \
"
BBLAYERS_LAYERINDEX_NAME_tpm-layer = "meta-tpm"
# Sanity check for meta-integrity layer.
# Setting SKIP_META_TPM_SANITY_CHECK to "1" would skip the bbappend files check.
INHERIT += "sanity-meta-tpm"
BBFILES_DYNAMIC += " \
networking-layer:${LAYERDIR}/dynamic-layers/meta-networking/recipes-*/*/*.bbappend \
"
addpylib ${LAYERDIR}/lib oeqa
meta-security/meta-tpm/lib/oeqa/runtime/cases/swtpm.py
+26
View File
@@ -0,0 +1,26 @@
# Copyright (C) 2022 Armin Kuster <akuster808@gmail.com>
#
from oeqa.runtime.case import OERuntimeTestCase
from oeqa.core.decorator.depends import OETestDepends
from oeqa.runtime.decorator.package import OEHasPackage
from oeqa.core.decorator.data import skipIfNotFeature
class SwTpmTest(OERuntimeTestCase):
@classmethod
def setUpClass(cls):
cls.tc.target.run('swtpm_ioctl -s --tcp :2322')
cls.tc.target.run('mkdir /tmp/myvtpm2')
cls.tc.target.run('chown tss:root /tmp/myvtpm2')
@classmethod
def tearDownClass(cls):
cls.tc.target.run('swtpm_ioctl -s --tcp :2322')
cls.tc.target.run('rm -fr /tmp/myvtpm2')
@skipIfNotFeature('tpm2','Test tpm2_swtpm_socket requires tpm2 to be in DISTRO_FEATURES')
@OETestDepends(['ssh.SSHTest.test_ssh'])
@OEHasPackage(['swtpm'])
def test_swtpm2_ek_cert(self):
cmd = 'swtpm_setup --tpmstate /tmp/myvtpm2 --create-ek-cert --create-platform-cert --tpm2',
status, output = self.target.run(cmd)
self.assertEqual(status, 0, msg="swtpm create-ek-cert failed: %s" % output)
meta-security/meta-tpm/lib/oeqa/runtime/cases/tpm2.py
+69
View File
@@ -0,0 +1,69 @@
# Copyright (C) 2019 - 2022 Armin Kuster <akuster808@gmail.com>
#
from oeqa.runtime.case import OERuntimeTestCase
from oeqa.core.decorator.depends import OETestDepends
from oeqa.runtime.decorator.package import OEHasPackage
from oeqa.core.decorator.data import skipIfNotFeature
class Tpm2Test(OERuntimeTestCase):
@classmethod
def setUpClass(cls):
cls.tc.target.run('swtpm_ioctl -s --tcp :2322')
cls.tc.target.run('mkdir /tmp/myvtpm2')
@classmethod
def tearDownClass(cls):
cls.tc.target.run('swtpm_ioctl -s --tcp :2322')
cls.tc.target.run('rm -fr /tmp/myvtpm2')
def check_endlines(self, results, expected_endlines):
for line in results.splitlines():
for el in expected_endlines:
if line == el:
expected_endlines.remove(el)
break
if expected_endlines:
self.fail('Missing expected line endings:\n %s' % '\n '.join(expected_endlines))
@OEHasPackage(['tpm2-tools'])
@OEHasPackage(['tpm2-abrmd'])
@OEHasPackage(['swtpm'])
@skipIfNotFeature('tpm2','Test tpm2_startup requires tpm2 to be in DISTRO_FEATURES')
@OETestDepends(['ssh.SSHTest.test_ssh'])
def test_tpm2_startup(self):
cmds = [
'swtpm socket -d --tpmstate dir=/tmp/myvtpm2 --tpm2 --ctrl type=tcp,port=2322 --server type=tcp,port=2321 --flags not-need-init',
'tpm2_startup -c -T "swtpm:port=2321"',
]
for cmd in cmds:
status, output = self.target.run(cmd)
self.assertEqual(status, 0, msg='\n'.join([cmd, output]))
@OETestDepends(['tpm2.Tpm2Test.test_tpm2_startup'])
def test_tpm2_pcrread(self):
(status, output) = self.target.run('tpm2_pcrread')
expected_endlines = []
expected_endlines.append(' sha1:')
expected_endlines.append(' 0 : 0x0000000000000000000000000000000000000000')
expected_endlines.append(' 1 : 0x0000000000000000000000000000000000000000')
expected_endlines.append(' sha256:')
expected_endlines.append(' 0 : 0x0000000000000000000000000000000000000000000000000000000000000000')
expected_endlines.append(' 1 : 0x0000000000000000000000000000000000000000000000000000000000000000')
self.check_endlines(output, expected_endlines)
@OEHasPackage(['p11-kit'])
@OEHasPackage(['tpm2-pkcs11'])
@OETestDepends(['tpm2.Tpm2Test.test_tpm2_pcrread'])
def test_tpm2_pkcs11(self):
(status, output) = self.target.run('p11-kit list-modules -v')
self.assertEqual(status, 0, msg="Modules missing: %s" % output)
@OETestDepends(['tpm2.Tpm2Test.test_tpm2_pkcs11'])
def test_tpm2_swtpm_reset(self):
(status, output) = self.target.run('swtpm_ioctl -i --tcp :2322')
self.assertEqual(status, 0, msg="swtpm reset failed: %s" % output)
meta-security/meta-tpm/recipes-core/images/security-tpm-image.bb
+18
View File
@@ -0,0 +1,18 @@
DESCRIPTION = "A small image for building a tpm image for testing"
IMAGE_FEATURES += "ssh-server-openssh"
IMAGE_INSTALL = "\
packagegroup-base \
packagegroup-core-boot \
packagegroup-security-tpm \
os-release \
"
IMAGE_LINGUAS ?= " "
LICENSE = "MIT"
inherit core-image
export IMAGE_BASENAME = "security-tpm-image"
meta-security/meta-tpm/recipes-core/images/security-tpm2-image.bb
+19
View File
@@ -0,0 +1,19 @@
DESCRIPTION = "A small image for building a tpm2 image for testing"
IMAGE_FEATURES += "ssh-server-openssh"
IMAGE_INSTALL = "\
packagegroup-base \
packagegroup-core-boot \
packagegroup-security-tpm2 \
os-release \
swtpm \
"
IMAGE_LINGUAS ?= " "
LICENSE = "MIT"
inherit core-image
export IMAGE_BASENAME = "security-tpm2-image"
meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm-i2c.bb
+19
View File
@@ -0,0 +1,19 @@
DESCRIPTION = "Security packagegroup for TPM i2c support"
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \
file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
inherit packagegroup
PACKAGES = "packagegroup-security-tpm-i2c"
SUMMARY:packagegroup-security-tpm-i2c = "Security TPM i2c support"
RDEPENDS:packagegroup-security-tpm-i2c = " \
${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'packagegroup-security-tpm', '', d)} \
${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'packagegroup-security-tpm2', '', d)} \
kernel-module-tpm-i2c-atmel \
kernel-module-tpm-i2c-infineon \
kernel-module-tpm-i2c-nuvoton \
kernel-module-tpm-st33zp24 \
kernel-module-tpm-st33zp24-i2c \
"
meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm.bb
+34
View File
@@ -0,0 +1,34 @@
DESCRIPTION = "Security packagegroup for Poky"
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \
file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
inherit packagegroup
PACKAGES = "packagegroup-security-tpm"
SUMMARY:packagegroup-security-tpm = "Security TPM support"
RDEPENDS:packagegroup-security-tpm = " \
tpm-tools \
trousers \
pcr-extend \
tpm-quote-tools \
swtpm \
libhoth \
openssl-tpm-engine \
${X86_TPM_MODULES} \
"
X86_TPM_MODULES ?= ""
X86_TPM_MODULES:x86 = " \
kernel-module-tpm-atmel \
kernel-module-tpm-infineon \
kernel-module-tpm-nsc \
"
X86_TPM_MODULES:x86-64 = " \
kernel-module-tpm-atmel \
kernel-module-tpm-infineon \
kernel-module-tpm-nsc \
"
meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb
+23
View File
@@ -0,0 +1,23 @@
DESCRIPTION = "TPM2 packagegroup for Security"
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \
file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
PACKAGE_ARCH = "${TUNE_PKGARCH}"
inherit packagegroup
PACKAGES = "${PN}"
SUMMARY:packagegroup-security-tpm2 = "Security TPM 2.0 support"
RDEPENDS:packagegroup-security-tpm2 = " \
tpm2-tools \
trousers \
tpm2-tss \
libtss2-mu \
libtss2-tcti-device \
libtss2-tcti-mssim \
libtss2 \
tpm2-abrmd \
tpm2-pkcs11 \
"
meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-vtpm.bb
+14
View File
@@ -0,0 +1,14 @@
DESCRIPTION = "Security packagegroup for Poky"
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \
file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
inherit packagegroup
PACKAGES = "packagegroup-security-vtpm"
SUMMARY:packagegroup-security-vtpm = "Security Software vTPM support"
RDEPENDS:packagegroup-security-vtpm = " \
libtpm \
swtpm \
"
meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/tpm.cfg
+8
View File
@@ -0,0 +1,8 @@
CONFIG_HW_RANDOM_TPM=y
CONFIG_TCG_TPM=y
CONFIG_TCG_TIS_CORE=y
CONFIG_TCG_TIS=y
CONFIG_SECURITYFS=y
CONFIG_TCG_NSC=m
CONFIG_TCG_ATMEL=m
CONFIG_TCG_INFINEON=m
meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/tpm.scc
+3
View File
@@ -0,0 +1,3 @@
define KFEATURE_DESCRIPTION "Enable TPM"
kconf hardware tpm.cfg
meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/tpm2.cfg
+6
View File
@@ -0,0 +1,6 @@
CONFIG_HW_RANDOM_TPM=y
CONFIG_TCG_TPM=y
CONFIG_TCG_TIS_CORE=y
CONFIG_TCG_TIS=y
CONFIG_TCG_CRB=y
CONFIG_SECURITYFS=y
meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/tpm2.scc
+3
View File
@@ -0,0 +1,3 @@
define KFEATURE_DESCRIPTION "Enable TPM 2.0"
kconf hardware tpm2.cfg
meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/tpm_i2c.cfg
+15
View File
@@ -0,0 +1,15 @@
CONFIG_HW_RANDOM_TPM=y
CONFIG_TCG_TPM=y
CONFIG_TCG_TIS_CORE=y
CONFIG_TCG_TIS=y
CONFIG_SECURITYFS=y
CONFIG_REGMAP_I2C=y
CONFIG_I2C_BOARDINFO=y
CONFIG_I2C_COMPAT=y
CONFIG_RTC_I2C_AND_SPI=y
CONFIG_TCG_TIS_I2C_ATMEL=m
CONFIG_TCG_TIS_I2C_INFINEON=m
CONFIG_TCG_TIS_I2C_NUVOTON=m
CONFIG_TCG_TIS_ST33ZP24_I2C=m
meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/tpm_i2c.scc
+6
View File
@@ -0,0 +1,6 @@
define KFEATURE_DESCRIPTION "Enable TPM i2c"
include features/i2c/i2c.scc
kconf hardware tpm_i2c.cfg
meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/vtpm.cfg
+5
View File
@@ -0,0 +1,5 @@
CONFIG_HW_RANDOM_TPM=y
CONFIG_TCG_TPM=y
CONFIG_TCG_VTPM_PROXY=y
CONFIG_SECURITYFS=y
~
meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/vtpm.scc
+4
View File
@@ -0,0 +1,4 @@
define KFEATURE_DESCRIPTION "Enable vTPM"
kconf hardware vtpm.cfg
meta-security/meta-tpm/recipes-kernel/linux/linux-yocto_%.bbappend
+1
View File
@@ -0,0 +1 @@
require ${@bb.utils.contains_any('DISTRO_FEATURES', 'tpm tpm2', 'linux-yocto_tpm.inc', '', d)}
meta-security/meta-tpm/recipes-kernel/linux/linux-yocto_tpm.inc
+8
View File
@@ -0,0 +1,8 @@
FILESEXTRAPATHS:prepend := "${THISDIR}/linux-yocto:"
SRC_URI += " \
${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'file://tpm.scc', '', d)} \
${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'file://tpm2.scc', '', d)} \
${@bb.utils.contains('MACHINE_FEATURES', 'tpm_i2c', 'file://tpm_i2c.scc', '', d)} \
${@bb.utils.contains('MACHINE_FEATURES', 'vtpm', 'file://vtpm.scc', '', d)} \
"
meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_0.9.6.bb
+16
View File
@@ -0,0 +1,16 @@
SUMMARY = "LIBPM - Software TPM Library"
LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=e73f0786a936da3814896df06ad225a9"
SRCREV = "f8c2dc7e12a730dcca4220d7ac5ad86d13dfd630"
SRC_URI = "git://github.com/stefanberger/libtpms.git;branch=stable-0.9;protocol=https"
PE = "1"
S = "${WORKDIR}/git"
inherit autotools-brokensep pkgconfig perlnative
PACKAGECONFIG ?= "openssl"
PACKAGECONFIG[openssl] = "--with-openssl, --without-openssl, openssl"
BBCLASSEXTEND = "native"
meta-security/meta-tpm/recipes-tpm/swtpm/swtpm-wrappers-native.bb
+49
View File
@@ -0,0 +1,49 @@
SUMMARY = "SWTPM - OpenEmbedded wrapper scripts for native swtpm tools"
LICENSE = "MIT"
DEPENDS = "swtpm-native"
inherit native
# The whole point of the recipe is to make files available
# for use after the build is done, so don't clean up...
RM_WORK_EXCLUDE += "${PN}"
do_create_wrapper () {
# Wrap (almost) all swtpm binaries. Some get special wrappers and some
# are not needed.
for i in `find ${bindir} ${base_bindir} ${sbindir} ${base_sbindir} -name 'swtpm*' -perm /+x -type f`; do
exe=`basename $i`
case $exe in
swtpm_setup)
cat >${WORKDIR}/swtpm_setup_oe.sh <<EOF
#! /bin/sh
#
# Wrapper around swtpm_setup which adds parameters required to
# run the setup as non-root directly from the native sysroot.
PATH="${bindir}:${base_bindir}:${sbindir}:${base_sbindir}:\$PATH"
export PATH
exec swtpm_setup --config ${STAGING_DIR_NATIVE}/etc/swtpm_setup.conf "\$@"
EOF
;;
*)
cat >${WORKDIR}/${exe}_oe.sh <<EOF
#! /bin/sh
#
# Wrapper around $exe which makes it easier to invoke
# the right binary.
PATH="${bindir}:${base_bindir}:${sbindir}:${base_sbindir}:\$PATH"
export PATH
exec ${exe} "\$@"
EOF
;;
esac
done
chmod a+rx ${WORKDIR}/*.sh
}
addtask do_create_wrapper before do_build after do_prepare_recipe_sysroot
meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.8.0.bb
+50
View File
@@ -0,0 +1,50 @@
SUMMARY = "SWTPM - Software TPM Emulator"
LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=fe8092c832b71ef20dfe4c6d3decb3a8"
SECTION = "apps"
# expect-native, socat-native, coreutils-native and net-tools-native are reportedly only required for the tests
DEPENDS = "libtasn1 coreutils-native expect-native socat-native glib-2.0 net-tools-native libtpm json-glib"
SRCREV = "2ae7b019370760e17f4f2675195a91ca53950eda"
SRC_URI = "git://github.com/stefanberger/swtpm.git;branch=master;protocol=https \
"
PE = "1"
S = "${WORKDIR}/git"
PARALLEL_MAKE = ""
inherit autotools pkgconfig perlnative
TSS_USER="tss"
TSS_GROUP="tss"
PACKAGECONFIG ?= "openssl gnutls"
PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}"
PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'seccomp', 'seccomp', '', d)}"
PACKAGECONFIG += "${@bb.utils.contains('BBFILE_COLLECTIONS', 'filesystems-layer', 'cuse', '', d)}"
PACKAGECONFIG[openssl] = "--with-openssl, --without-openssl, openssl"
# expect, bash, tpm2-pkcs11-tools (tpm2_ptool), tpmtool and certtool is
# used by swtpm-create-tpmca (the last two is provided by gnutls)
# gnutls is required by: swtpm-create-tpmca, swtpm-localca and swtpm_cert
PACKAGECONFIG[gnutls] = "--with-gnutls, --without-gnutls, gnutls-native gnutls, gnutls-bin expect bash tpm2-pkcs11-tools"
PACKAGECONFIG[selinux] = "--with-selinux, --without-selinux, libselinux"
PACKAGECONFIG[cuse] = "--with-cuse, --without-cuse, fuse"
PACKAGECONFIG[seccomp] = "--with-seccomp, --without-seccomp, libseccomp"
EXTRA_OECONF += "--with-tss-user=${TSS_USER} --with-tss-group=${TSS_GROUP}"
USERADD_PACKAGES = "${PN}"
GROUPADD_PARAM:${PN} = "--system ${TSS_USER}"
USERADD_PARAM:${PN} = "--system -g ${TSS_GROUP} --home-dir / \
--no-create-home --shell /bin/false ${BPN}"
PACKAGE_BEFORE_PN = "${PN}-cuse"
FILES:${PN}-cuse = "${bindir}/swtpm_cuse"
INSANE_SKIP:${PN} += "dev-so"
RDEPENDS:${PN} = "libtpm"
BBCLASSEXTEND = "native nativesdk"
meta-security/meta-tpm/recipes-tpm1/hoth/libhoth_git.bb
+17
View File
@@ -0,0 +1,17 @@
SUMMARY = "Google Hoth USB library"
DESCRIPTION = "Libraries and example programs for interacting with a \
hoth-class root of trust."
HOMEPAGE = "https://github.com/google/libhoth"
LICENSE = "Apache-2.0"
LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
SRC_URI = "git://github.com/google/libhoth;protocol=https;branch=main"
SRCREV = "769296220dc88df33f4726aa11e39e049257b3c4"
DEPENDS += "libusb1"
S = "${WORKDIR}/git"
inherit pkgconfig meson
meta-security/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch
+101
View File
@@ -0,0 +1,101 @@
Upstream-Status: Pending
commit 16dac0cb7b73b8a7088300e45b98ac20819b03ed
Author: Junxian.Xiao <Junxian.Xiao@windriver.com>
Date: Wed Jun 19 18:57:13 2013 +0800
support well-known password in openssl-tpm-engine.
Add "-z" option to select well known password in create_tpm_key tool.
Signed-off-by: Junxian.Xiao <Junxian.Xiao@windriver.com>
Index: git/src/create_tpm_key.c
===================================================================
--- git.orig/src/create_tpm_key.c
+++ git/src/create_tpm_key.c
@@ -48,6 +48,8 @@
#include "ssl_compat.h"
+#define TPM_WELL_KNOWN_KEY_LEN 20 /*well know key length is 20 bytes zero*/
+
#define print_error(a,b) \
fprintf(stderr, "%s:%d %s result: 0x%x (%s)\n", __FILE__, __LINE__, \
a, b, Trspi_Error_String(b))
@@ -72,6 +74,7 @@ usage(char *argv0)
"\t\t-e|--enc-scheme encryption scheme to use [PKCSV15] or OAEP\n"
"\t\t-q|--sig-scheme signature scheme to use [DER] or SHA1\n"
"\t\t-s|--key-size key size in bits [2048]\n"
+ "\t\t-z|--zerokey use well known 20 bytes zero as SRK password.\n"
"\t\t-a|--auth require a password for the key [NO]\n"
"\t\t-p|--popup use TSS GUI popup dialogs to get the password "
"for the\n\t\t\t\t key [NO] (implies --auth)\n"
@@ -154,6 +157,7 @@ int main(int argc, char **argv)
int asn1_len;
char *filename, c, *openssl_key = NULL;
int option_index, auth = 0, popup = 0, wrap = 0;
+ int wellknownkey = 0;
UINT32 enc_scheme = TSS_ES_RSAESPKCSV15;
UINT32 sig_scheme = TSS_SS_RSASSAPKCS1V15_DER;
UINT32 key_size = 2048;
@@ -161,12 +165,15 @@ int main(int argc, char **argv)
while (1) {
option_index = 0;
- c = getopt_long(argc, argv, "pe:q:s:ahw:",
+ c = getopt_long(argc, argv, "pe:q:s:zahw:",
long_options, &option_index);
if (c == -1)
break;
switch (c) {
+ case 'z':
+ wellknownkey = 1;
+ break;
case 'a':
initFlags |= TSS_KEY_AUTHORIZATION;
auth = 1;
@@ -300,6 +307,8 @@ int main(int argc, char **argv)
if (srk_authusage) {
char *authdata = calloc(1, 128);
+ TSS_FLAG secretMode = TSS_SECRET_MODE_PLAIN;
+ int authlen = 0;
if (!authdata) {
fprintf(stderr, "malloc failed.\n");
@@ -316,17 +325,26 @@ int main(int argc, char **argv)
exit(result);
}
- if (EVP_read_pw_string(authdata, 128, "SRK Password: ", 0)) {
- Tspi_Context_CloseObject(hContext, hKey);
- Tspi_Context_Close(hContext);
- free(authdata);
- exit(result);
+ if (wellknownkey) {
+ memset(authdata, 0, TPM_WELL_KNOWN_KEY_LEN);
+ secretMode = TSS_SECRET_MODE_SHA1;
+ authlen = TPM_WELL_KNOWN_KEY_LEN;
+ }
+ else {
+ if (EVP_read_pw_string(authdata, 128, "SRK Password: ", 0)) {
+ Tspi_Context_CloseObject(hContext, hKey);
+ Tspi_Context_Close(hContext);
+ free(authdata);
+ exit(result);
+ }
+ secretMode = TSS_SECRET_MODE_PLAIN;
+ authlen = strlen(authdata);
}
//Set Secret
if ((result = Tspi_Policy_SetSecret(srkUsagePolicy,
- TSS_SECRET_MODE_PLAIN,
- strlen(authdata),
+ secretMode,
+ authlen,
(BYTE *)authdata))) {
print_error("Tspi_Policy_SetSecret", result);
free(authdata);
meta-security/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch
+82
View File
@@ -0,0 +1,82 @@
Upstream-Status: Pending
commit 16dac0cb7b73b8a7088300e45b98ac20819b03ed
Author: Junxian.Xiao <Junxian.Xiao@windriver.com>
Date: Wed Jun 19 18:57:13 2013 +0800
support reading SRK password from env TPM_SRK_PW
Add "env TPM_SRK_PW=xxxx" to set password for libtpm.so. Specially,
use "env TPM_SRK_PW=#WELLKNOWN#" to set well known password.
Signed-off-by: Junxian.Xiao <Junxian.Xiao@windriver.com>
Index: git/src/e_tpm.c
===================================================================
--- git.orig/src/e_tpm.c
+++ git/src/e_tpm.c
@@ -38,6 +38,8 @@
#include "e_tpm.h"
#include "ssl_compat.h"
+#define TPM_WELL_KNOWN_KEY_LEN 20 /*well know key length is 20 bytes zero*/
+
//#define DLOPEN_TSPI
#ifndef OPENSSL_NO_HW
@@ -262,6 +264,10 @@ int tpm_load_srk(UI_METHOD *ui, void *cb
TSS_RESULT result;
UINT32 authusage;
BYTE *auth;
+ char *srkPasswd = NULL;
+ TSS_FLAG secretMode = secret_mode;
+ int authlen = 0;
+
if (hSRK != NULL_HKEY) {
DBGFN("SRK is already loaded.");
@@ -313,18 +319,36 @@ int tpm_load_srk(UI_METHOD *ui, void *cb
return 0;
}
- if (!tpm_engine_get_auth(ui, (char *)auth, 128, "SRK authorization: ",
- cb_data)) {
- Tspi_Context_CloseObject(hContext, hSRK);
- free(auth);
- TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
- return 0;
+ srkPasswd = getenv("TPM_SRK_PW");
+ if (NULL != srkPasswd) {
+ if (0 == strcmp(srkPasswd, "#WELLKNOWN#")) {
+ memset(auth, 0, TPM_WELL_KNOWN_KEY_LEN);
+ secretMode = TSS_SECRET_MODE_SHA1;
+ authlen = TPM_WELL_KNOWN_KEY_LEN;
+ } else {
+ int authbuflen = 128;
+ memset(auth, 0, authbuflen);
+ strncpy(auth, srkPasswd, authbuflen-1);
+ secretMode = TSS_SECRET_MODE_PLAIN;
+ authlen = strlen(auth);
+ }
+ }
+ else {
+ if (!tpm_engine_get_auth(ui, (char *)auth, 128,
+ "SRK authorization: ", cb_data)) {
+ Tspi_Context_CloseObject(hContext, hSRK);
+ free(auth);
+ TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
+ return 0;
+ }
+ secretMode = secret_mode;
+ authlen = strlen(auth);
}
/* secret_mode is a global that may be set by engine ctrl
* commands. By default, its set to TSS_SECRET_MODE_PLAIN */
- if ((result = Tspi_Policy_SetSecret(hSRKPolicy, secret_mode,
- strlen((char *)auth), auth))) {
+ if ((result = Tspi_Policy_SetSecret(hSRKPolicy, secretMode,
+ authlen, auth))) {
Tspi_Context_CloseObject(hContext, hSRK);
free(auth);
TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
meta-security/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch
+253
View File
@@ -0,0 +1,253 @@
From eb28ad92a2722fd30f8114840cf2b1ade26b80ee Mon Sep 17 00:00:00 2001
From: Limeng <Meng.Li@windriver.com>
Date: Fri, 23 Jun 2017 11:39:04 +0800
Subject: [PATCH] tpm:openssl-tpm-engine:parse an encrypted tpm SRK password
from env
Before, we support reading SRK password from env TPM_SRK_PW,
but it is a plain password and not secure.
So, we improve it and support to get an encrypted (AES algorithm)
SRK password from env, and then parse it. The default decrypting
AES password and salt is set in bb file.
When we initialize TPM, and set a SRK pw, and then we need to
encrypt it with the same AES password and salt by AES algorithm.
At last, we set a env as below:
export TPM_SRK_ENC_PW=xxxxxxxx
"xxxxxxxx" is the encrypted SRK password for libtpm.so.
Signed-off-by: Meng Li <Meng.Li@windriver.com>
---
Upstream-Status: Pending
e_tpm.c | 157 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
e_tpm.h | 4 ++
e_tpm_err.c | 4 ++
3 files changed, 164 insertions(+), 1 deletion(-)
Index: git/src/e_tpm.c
===================================================================
--- git.orig/src/e_tpm.c
+++ git/src/e_tpm.c
@@ -259,6 +259,118 @@ void ENGINE_load_tpm(void)
ERR_clear_error();
}
+static int tpm_decode_base64(unsigned char *indata,
+ int in_len,
+ unsigned char *outdata,
+ int *out_len)
+{
+ int total_len, len, ret;
+ EVP_ENCODE_CTX dctx;
+
+ EVP_DecodeInit(&dctx);
+
+ total_len = 0;
+ ret = EVP_DecodeUpdate(&dctx, outdata, &len, indata, in_len);
+ if (ret < 0) {
+ TSSerr(TPM_F_TPM_DECODE_BASE64, TPM_R_DECODE_BASE64_FAILED);
+ return 1;
+ }
+
+ total_len += len;
+ ret = EVP_DecodeFinal(&dctx, outdata, &len);
+ if (ret < 0) {
+ TSSerr(TPM_F_TPM_DECODE_BASE64, TPM_R_DECODE_BASE64_FAILED);
+ return 1;
+ }
+ total_len += len;
+
+ *out_len = total_len;
+
+ return 0;
+}
+
+static int tpm_decrypt_srk_pw(unsigned char *indata, int in_len,
+ unsigned char *outdata,
+ int *out_len)
+{
+ int dec_data_len, dec_data_lenfinal;
+ unsigned char dec_data[256];
+ unsigned char *aes_pw;
+ unsigned char aes_salt[PKCS5_SALT_LEN];
+ unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];
+ const EVP_CIPHER *cipher = NULL;
+ const EVP_MD *dgst = NULL;
+ EVP_CIPHER_CTX *ctx = NULL;
+
+ if (sizeof(SRK_DEC_SALT) - 1 > PKCS5_SALT_LEN) {
+ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
+ return 1;
+ }
+
+ aes_pw = malloc(sizeof(SRK_DEC_PW) - 1);
+ if (aes_pw == NULL) {
+ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
+ return 1;
+ }
+
+ memset(aes_salt, 0x00, sizeof(aes_salt));
+ memcpy(aes_pw, SRK_DEC_PW, sizeof(SRK_DEC_PW) - 1);
+ memcpy(aes_salt, SRK_DEC_SALT, sizeof(SRK_DEC_SALT) - 1);
+
+ cipher = EVP_get_cipherbyname("aes-128-cbc");
+ if (cipher == NULL) {
+ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
+ free(aes_pw);
+ return 1;
+ }
+ dgst = EVP_sha256();
+
+ EVP_BytesToKey(cipher, dgst, aes_salt, (unsigned char *)aes_pw, sizeof(SRK_DEC_PW) - 1, 1, key, iv);
+
+ ctx = EVP_CIPHER_CTX_new();
+ /* Don't set key or IV right away; we want to check lengths */
+ if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, 0)) {
+ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
+ free(aes_pw);
+ return 1;
+ }
+
+ OPENSSL_assert(EVP_CIPHER_CTX_key_length(ctx) == 16);
+ OPENSSL_assert(EVP_CIPHER_CTX_iv_length(ctx) == 16);
+
+ if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, 0)) {
+ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
+ free(aes_pw);
+ return 1;
+ }
+
+ if (!EVP_CipherUpdate(ctx, dec_data, &dec_data_len, indata, in_len)) {
+ /* Error */
+ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
+ free(aes_pw);
+ EVP_CIPHER_CTX_free(ctx);
+ return 1;
+ }
+
+ if (!EVP_CipherFinal_ex(ctx, dec_data + dec_data_len, &dec_data_lenfinal)) {
+ /* Error */
+ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
+ free(aes_pw);
+ EVP_CIPHER_CTX_free(ctx);
+ return 1;
+ }
+
+ dec_data_len = dec_data_len + dec_data_lenfinal;
+
+ memcpy(outdata, dec_data, dec_data_len);
+ *out_len = dec_data_len;
+
+ free(aes_pw);
+ EVP_CIPHER_CTX_free(ctx);
+
+ return 0;
+}
+
int tpm_load_srk(UI_METHOD *ui, void *cb_data)
{
TSS_RESULT result;
@@ -319,8 +431,50 @@ int tpm_load_srk(UI_METHOD *ui, void *cb
return 0;
}
- srkPasswd = getenv("TPM_SRK_PW");
+ srkPasswd = getenv("TPM_SRK_ENC_PW");
if (NULL != srkPasswd) {
+ int in_len = strlen(srkPasswd);
+ int out_len;
+ unsigned char *out_buf;
+
+ if (!in_len || in_len % 4) {
+ Tspi_Context_CloseObject(hContext, hSRK);
+ free(auth);
+ TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
+ return 0;
+ }
+
+ out_len = in_len * 3 / 4;
+ out_buf = malloc(out_len);
+ if (NULL == out_buf) {
+ Tspi_Context_CloseObject(hContext, hSRK);
+ free(auth);
+ TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
+ return 0;
+ }
+
+ if (tpm_decode_base64(srkPasswd, strlen(srkPasswd),
+ out_buf, &out_len)) {
+ Tspi_Context_CloseObject(hContext, hSRK);
+ free(auth);
+ free(out_buf);
+ TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
+ return 0;
+ }
+
+ if (tpm_decrypt_srk_pw(out_buf, out_len,
+ auth, &authlen)) {
+ Tspi_Context_CloseObject(hContext, hSRK);
+ free(auth);
+ free(out_buf);
+ TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
+ return 0;
+ }
+ secretMode = TSS_SECRET_MODE_PLAIN;
+ free(out_buf);
+ }
+#ifdef TPM_SRK_PLAIN_PW
+ else if (NULL != (srkPasswd = getenv("TPM_SRK_PW")) {
if (0 == strcmp(srkPasswd, "#WELLKNOWN#")) {
memset(auth, 0, TPM_WELL_KNOWN_KEY_LEN);
secretMode = TSS_SECRET_MODE_SHA1;
@@ -333,6 +487,7 @@ int tpm_load_srk(UI_METHOD *ui, void *cb
authlen = strlen(auth);
}
}
+#endif
else {
if (!tpm_engine_get_auth(ui, (char *)auth, 128,
"SRK authorization: ", cb_data)) {
Index: git/src/e_tpm.h
===================================================================
--- git.orig/src/e_tpm.h
+++ git/src/e_tpm.h
@@ -66,6 +66,8 @@ void ERR_TSS_error(int function, int rea
#define TPM_F_TPM_FILL_RSA_OBJECT 116
#define TPM_F_TPM_ENGINE_GET_AUTH 117
#define TPM_F_TPM_CREATE_SRK_POLICY 118
+#define TPM_F_TPM_DECODE_BASE64 119
+#define TPM_F_TPM_DECRYPT_SRK_PW 120
/* Reason codes. */
#define TPM_R_ALREADY_LOADED 100
@@ -96,6 +98,8 @@ void ERR_TSS_error(int function, int rea
#define TPM_R_ID_INVALID 125
#define TPM_R_UI_METHOD_FAILED 126
#define TPM_R_UNKNOWN_SECRET_MODE 127
+#define TPM_R_DECODE_BASE64_FAILED 128
+#define TPM_R_DECRYPT_SRK_PW_FAILED 129
/* structure pointed to by the RSA object's app_data pointer */
struct rsa_app_data
Index: git/src/e_tpm_err.c
===================================================================
--- git.orig/src/e_tpm_err.c
+++ git/src/e_tpm_err.c
@@ -234,6 +234,8 @@ static ERR_STRING_DATA TPM_str_functs[]
{ERR_PACK(0, TPM_F_TPM_BIND_FN, 0), "TPM_BIND_FN"},
{ERR_PACK(0, TPM_F_TPM_FILL_RSA_OBJECT, 0), "TPM_FILL_RSA_OBJECT"},
{ERR_PACK(0, TPM_F_TPM_ENGINE_GET_AUTH, 0), "TPM_ENGINE_GET_AUTH"},
+ {ERR_PACK(0, TPM_F_TPM_DECODE_BASE64, 0), "TPM_DECODE_BASE64"},
+ {ERR_PACK(0, TPM_F_TPM_DECRYPT_SRK_PW, 0), "TPM_DECRYPT_SRK_PW"},
{0, NULL}
};
@@ -264,6 +266,8 @@ static ERR_STRING_DATA TPM_str_reasons[]
{TPM_R_FILE_READ_FAILED, "failed reading the key file"},
{TPM_R_ID_INVALID, "engine id doesn't match"},
{TPM_R_UI_METHOD_FAILED, "ui function failed"},
+ {TPM_R_DECODE_BASE64_FAILED, "decode base64 failed"},
+ {TPM_R_DECRYPT_SRK_PW_FAILED, "decrypt srk password failed"},
{0, NULL}
};
meta-security/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch
+33
View File
@@ -0,0 +1,33 @@
From fb44e2814fd819c086f9a4c925427f89c0e8cec6 Mon Sep 17 00:00:00 2001
From: Limeng <Meng.Li@windriver.com>
Date: Fri, 21 Jul 2017 16:32:02 +0800
Subject: [PATCH] tpm:openssl-tpm-engine: change variable c type from char
into int
refer to getopt_long() function definition, its return value type is
int. So, change variable c type from char into int.
On arm platform, when getopt_long() calling fails, if we define c as
char type, its value will be 255, not -1. This will cause code enter
wrong case.
Signed-off-by: Meng Li <Meng.Li@windriver.com>
---
Upstream-Status: Pending
create_tpm_key.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
Index: git/src/create_tpm_key.c
===================================================================
--- git.orig/src/create_tpm_key.c
+++ git/src/create_tpm_key.c
@@ -155,7 +155,8 @@ int main(int argc, char **argv)
ASN1_OCTET_STRING *blob_str;
unsigned char *blob_asn1 = NULL;
int asn1_len;
- char *filename, c, *openssl_key = NULL;
+ char *filename, *openssl_key = NULL;
+ int c;
int option_index, auth = 0, popup = 0, wrap = 0;
int wellknownkey = 0;
UINT32 enc_scheme = TSS_ES_RSAESPKCSV15;
meta-security/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/openssl11_build_fix.patch
+34
View File
@@ -0,0 +1,34 @@
Fix compiling for openssl 1.1
Upstream-Status: Pending
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Index: git/src/e_tpm.c
===================================================================
--- git.orig/src/e_tpm.c
+++ git/src/e_tpm.c
@@ -265,19 +265,20 @@ static int tpm_decode_base64(unsigned ch
int *out_len)
{
int total_len, len, ret;
- EVP_ENCODE_CTX dctx;
+ EVP_ENCODE_CTX *dctx;
- EVP_DecodeInit(&dctx);
+ dctx = EVP_ENCODE_CTX_new();
+ EVP_DecodeInit(dctx);
total_len = 0;
- ret = EVP_DecodeUpdate(&dctx, outdata, &len, indata, in_len);
+ ret = EVP_DecodeUpdate(dctx, outdata, &len, indata, in_len);
if (ret < 0) {
TSSerr(TPM_F_TPM_DECODE_BASE64, TPM_R_DECODE_BASE64_FAILED);
return 1;
}
total_len += len;
- ret = EVP_DecodeFinal(&dctx, outdata, &len);
+ ret = EVP_DecodeFinal(dctx, outdata, &len);
if (ret < 0) {
TSSerr(TPM_F_TPM_DECODE_BASE64, TPM_R_DECODE_BASE64_FAILED);
return 1;
meta-security/meta-tpm/recipes-tpm1/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb
+65
View File
@@ -0,0 +1,65 @@
DESCRIPTION = "OpenSSL secure engine based on TPM hardware"
HOMEPAGE = "https://github.com/mgerstner/openssl_tpm_engine"
SECTION = "security/tpm"
LICENSE = "OpenSSL"
LIC_FILES_CHKSUM = "file://LICENSE;md5=11f0ee3af475c85b907426e285c9bb52"
DEPENDS += "openssl trousers"
SRC_URI = "\
git://github.com/mgerstner/openssl_tpm_engine.git;branch=master;protocol=https \
file://0001-create-tpm-key-support-well-known-key-option.patch \
file://0002-libtpm-support-env-TPM_SRK_PW.patch \
file://0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch \
file://0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch \
file://openssl11_build_fix.patch \
"
SRCREV = "b28de5065e6eb9aa5d5afe2276904f7624c2cbaf"
S = "${WORKDIR}/git"
inherit autotools-brokensep pkgconfig
# The definitions below are used to decrypt the srk password.
# It is allowed to define the values in 3 forms: string, hex number and
# the hybrid, e.g,
# srk_dec_pw = "incendia"
# srk_dec_pw = "\x69\x6e\x63\x65\x6e\x64\x69\x61"
# srk_dec_pw = "\x1""nc""\x3""nd""\x1""a"
#
# Due to the limit of escape character, the hybrid must be written in
# above style. The actual values defined below in C code style are:
# srk_dec_pw[] = { 0x01, 'n', 'c', 0x03, 'n', 'd', 0x01, 'a' };
# srk_dec_salt[] = { 'r', 0x00, 0x00, 't' };
srk_dec_pw ?= "\\"\\\x1\\"\\"nc\\"\\"\\\x3\\"\\"nd\\"\\"\\\x1\\"\\"a\\""
srk_dec_salt ?= "\\"r\\"\\"\\\x00\\\x00\\"\\"t\\""
CFLAGS:append = " -DSRK_DEC_PW=${srk_dec_pw} -DSRK_DEC_SALT=${srk_dec_salt}"
# Uncomment below line if using the plain srk password for development
#CFLAGS:append = " -DTPM_SRK_PLAIN_PW"
do_configure:prepend() {
cd ${B}
cp LICENSE COPYING
touch NEWS AUTHORS ChangeLog README
}
FILES:${PN}-staticdev += "${libdir}/ssl/engines-3/tpm.la"
FILES:${PN}-dbg += "\
${libdir}/ssl/engines-3/.debug \
${libdir}/engines-3/.debug \
${prefix}/local/ssl/lib/engines-3/.debug \
"
FILES:${PN} += "\
${libdir}/ssl/engines-3/tpm.so* \
${libdir}/engines-3/tpm.so* \
${libdir}/libtpm.so* \
${prefix}/local/ssl/lib/engines-3/tpm.so* \
"
RDEPENDS:${PN} += "libcrypto libtspi"
INSANE_SKIP:${PN} = "libdir"
INSANE_SKIP:${PN}-dbg = "libdir"
meta-security/meta-tpm/recipes-tpm1/pcr-extend/files/fix_openssl11_build.patch
+45
View File
@@ -0,0 +1,45 @@
Enable building with openssl 1.1
Upstream-Status: Pending
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Index: git/src/pcr-extend.c
===================================================================
--- git.orig/src/pcr-extend.c
+++ git/src/pcr-extend.c
@@ -118,7 +118,7 @@ dump_buf (FILE *file, char *buf, size_t
static unsigned char*
sha1_file (FILE *file, unsigned int *hash_len)
{
- EVP_MD_CTX ctx = { 0 };
+ EVP_MD_CTX *ctx = EVP_MD_CTX_new();
unsigned char *buf = NULL, *hash = NULL;
size_t num_read = 0;
@@ -127,7 +127,7 @@ sha1_file (FILE *file, unsigned int *has
perror ("malloc:\n");
goto sha1_fail;
}
- if (EVP_DigestInit (&ctx, EVP_sha1 ()) == 0) {
+ if (EVP_DigestInit (ctx, EVP_sha1 ()) == 0) {
ERR_print_errors_fp (stderr);
goto sha1_fail;
}
@@ -135,7 +135,7 @@ sha1_file (FILE *file, unsigned int *has
num_read = fread (buf, 1, BUF_SIZE, file);
if (num_read <= 0)
break;
- if (EVP_DigestUpdate (&ctx, buf, num_read) == 0) {
+ if (EVP_DigestUpdate (ctx, buf, num_read) == 0) {
ERR_print_errors_fp (stderr);
goto sha1_fail;
}
@@ -149,7 +149,7 @@ sha1_file (FILE *file, unsigned int *has
perror ("calloc of hash buffer:\n");
goto sha1_fail;
}
- if (EVP_DigestFinal (&ctx, hash, hash_len) == 0) {
+ if (EVP_DigestFinal (ctx, hash, hash_len) == 0) {
ERR_print_errors_fp (stderr);
goto sha1_fail;
}
meta-security/meta-tpm/recipes-tpm1/pcr-extend/pcr-extend_git.bb
+26
View File
@@ -0,0 +1,26 @@
SUMMARY = "Command line utility to extend hash of arbitrary data into a TPMs PCR."
HOMEPAGE = "https://github.com/flihp/pcr-extend"
SECTION = "security/tpm"
LICENSE = "GPL-2.0-only"
LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
DEPENDS = "libtspi"
PV = "0.1+git${SRCPV}"
SRCREV = "c02ad8f628b3d99f6d4c087b402fe31a40ee6316"
SRC_URI = "git://github.com/flihp/pcr-extend.git;branch=master;protocol=https \
file://fix_openssl11_build.patch "
inherit autotools
S = "${WORKDIR}/git"
do_compile() {
oe_runmake -C ${S}/src
}
do_install() {
install -d ${D}${bindir}
oe_runmake -C ${S}/src DESTDIR="${D}" install
}
meta-security/meta-tpm/recipes-tpm1/tpm-quote-tools/tpm-quote-tools_1.0.4.bb
+22
View File
@@ -0,0 +1,22 @@
SUMMARY = "The TPM Quote Tools is a collection of programs that provide support \
for TPM based attestation using the TPM quote mechanism. \
"
DESCRIPTION = "The TPM Quote Tools is a collection of programs that provide support \
for TPM based attestation using the TPM quote mechanism. The manual \
page for tpm_quote_tools provides a usage overview. \
\
TPM Quote Tools has been tested with TrouSerS on Linux and NTRU on \
Windows XP. It was ported to Windows using MinGW and MSYS. \
"
HOMEPAGE = "https://sourceforge.net/projects/tpmquotetools/"
SECTION = "security/tpm"
LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://COPYING;md5=8ec30b01163d242ecf07d9cd84e3611f"
DEPENDS = "libtspi tpm-tools"
SRC_URI = "git://git.code.sf.net/p/tpmquotetools/tpm-quote-tools;branch=master"
SRCREV = "4511874d5c9b4504bb96e94f8a14bd6c39a36295"
S = "${WORKDIR}/git"
inherit autotools
meta-security/meta-tpm/recipes-tpm1/tpm-tools/files/04-fix-FTBFS-clang.patch
+56
View File
@@ -0,0 +1,56 @@
Title: Fix FTBFS with clang due to uninitialized values
Date: 2015-06-28
Author: Alexander <sanek23994@gmail.com>
Bug-Debian: http://bugs.debian.org/753063
Upstream-Status: Backport
tpm-tools_1.3.9.1-0.1.debian.tar
Signed-off-by: Armin kuster <akuster808@gmail.com>
--- tpm-tools-1.3.8/src/tpm_mgmt/tpm_present.c 2012-05-17 21:49:58.000000000 +0400
+++ tpm-tools-1.3.8-my/src/tpm_mgmt/tpm_present.c 2014-06-29 01:01:11.502081468 +0400
@@ -165,7 +165,7 @@
TSS_BOOL bCmd, bHwd;
BOOL bRc;
- TSS_HPOLICY hTpmPolicy;
+ TSS_HPOLICY hTpmPolicy = 0;
char *pwd = NULL;
int pswd_len;
char rsp[5];
--- tpm-tools-1.3.8/src/tpm_mgmt/tpm_takeownership.c 2010-09-30 21:28:09.000000000 +0400
+++ tpm-tools-1.3.8-my/src/tpm_mgmt/tpm_takeownership.c 2014-06-29 01:01:51.069373655 +0400
@@ -67,7 +67,7 @@
char *szSrkPasswd = NULL;
int tpm_len, srk_len;
TSS_HTPM hTpm;
- TSS_HKEY hSrk;
+ TSS_HKEY hSrk = 0;
TSS_FLAG fSrkAttrs;
TSS_HPOLICY hTpmPolicy, hSrkPolicy;
int iRc = -1;
--- tpm-tools-1.3.8/src/tpm_mgmt/tpm_nvwrite.c 2011-08-17 16:20:35.000000000 +0400
+++ tpm-tools-1.3.8-my/src/tpm_mgmt/tpm_nvwrite.c 2014-06-29 01:02:45.836397172 +0400
@@ -220,7 +220,7 @@
close(fd);
fd = -1;
} else if (fillvalue >= 0) {
- if (length < 0) {
+ if (length == 0) {
logError(_("Requiring size parameter.\n"));
return -1;
}
--- tpm-tools-1.3.8/src/data_mgmt/data_protect.c 2012-05-17 21:49:58.000000000 +0400
+++ tpm-tools-1.3.8-my/src/data_mgmt/data_protect.c 2014-06-29 01:03:49.863254459 +0400
@@ -432,8 +432,8 @@
char *pszPin = NULL;
- CK_RV rv;
- CK_SESSION_HANDLE hSession;
+ CK_RV rv = 0;
+ CK_SESSION_HANDLE hSession = 0;
CK_OBJECT_HANDLE hObject;
CK_MECHANISM tMechanism = { CKM_AES_ECB, NULL, 0 };
meta-security/meta-tpm/recipes-tpm1/tpm-tools/files/openssl1.1_fix.patch
+18
View File
@@ -0,0 +1,18 @@
Upstream-Status: Pending
Update to build with openssl 1.1.x
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Index: git/src/cmds/tpm_extendpcr.c
===================================================================
--- git.orig/src/cmds/tpm_extendpcr.c
+++ git/src/cmds/tpm_extendpcr.c
@@ -136,7 +136,7 @@ int main(int argc, char **argv)
unsigned char msg[EVP_MAX_MD_SIZE];
unsigned int msglen;
- EVP_MD_CTX ctx;
+ EVP_MD_CTX *ctx = EVP_MD_CTX_new();
EVP_DigestInit(&ctx, EVP_sha1());
while ((lineLen = BIO_read(bin, line, sizeof(line))) > 0)
EVP_DigestUpdate(&ctx, line, lineLen);
meta-security/meta-tpm/recipes-tpm1/tpm-tools/files/tpm-tools-extendpcr.patch
+246
View File
@@ -0,0 +1,246 @@
Upstream-Status: Pending
Index: git/include/tpm_tspi.h
===================================================================
--- git.orig/include/tpm_tspi.h
+++ git/include/tpm_tspi.h
@@ -117,6 +117,10 @@ TSS_RESULT tpmPcrRead(TSS_HTPM a_hTpm, U
UINT32 *a_PcrSize, BYTE **a_PcrValue);
TSS_RESULT pcrcompositeSetPcrValue(TSS_HPCRS a_hPcrs, UINT32 a_Idx,
UINT32 a_PcrSize, BYTE *a_PcrValue);
+TSS_RESULT tpmPcrExtend(TSS_HTPM a_hTpm, UINT32 a_Idx,
+ UINT32 a_DataSize, BYTE *a_Data,
+ TSS_PCR_EVENT *a_Event,
+ UINT32 *a_PcrSize, BYTE **a_PcrValue);
#ifdef TSS_LIB_IS_12
TSS_RESULT unloadVersionInfo(UINT64 *offset, BYTE *blob, TPM_CAP_VERSION_INFO *v);
TSS_RESULT pcrcompositeSetPcrLocality(TSS_HPCRS a_hPcrs, UINT32 localityValue);
Index: git/lib/tpm_tspi.c
===================================================================
--- git.orig/lib/tpm_tspi.c
+++ git/lib/tpm_tspi.c
@@ -594,6 +594,20 @@ pcrcompositeSetPcrValue(TSS_HPCRS a_hPcr
return result;
}
+TSS_RESULT
+tpmPcrExtend(TSS_HTPM a_hTpm, UINT32 a_Idx,
+ UINT32 a_DataSize, BYTE *a_Data,
+ TSS_PCR_EVENT *a_Event,
+ UINT32 *a_PcrSize, BYTE **a_PcrValue)
+{
+ TSS_RESULT result =
+ Tspi_TPM_PcrExtend(a_hTpm, a_Idx, a_DataSize, a_Data, a_Event,
+ a_PcrSize, a_PcrValue);
+ tspiResult("Tspi_TPM_PcrExtend", result);
+
+ return result;
+}
+
#ifdef TSS_LIB_IS_12
/*
* These getPasswd functions will wrap calls to the other functions and check to see if the TSS
Index: git/src/cmds/Makefile.am
===================================================================
--- git.orig/src/cmds/Makefile.am
+++ git/src/cmds/Makefile.am
@@ -22,6 +22,7 @@
#
bin_PROGRAMS = tpm_sealdata \
+ tpm_extendpcr \
tpm_unsealdata
if TSS_LIB_IS_12
@@ -33,4 +34,5 @@ endif
LDADD = $(top_builddir)/lib/libtpm_tspi.la -ltspi $(top_builddir)/lib/libtpm_unseal.la -ltpm_unseal -lcrypto @INTLLIBS@
tpm_sealdata_SOURCES = tpm_sealdata.c
+tpm_extendpcr_SOURCES = tpm_extendpcr.c
tpm_unsealdata_SOURCES = tpm_unsealdata.c
Index: git/src/cmds/tpm_extendpcr.c
===================================================================
--- /dev/null
+++ git/src/cmds/tpm_extendpcr.c
@@ -0,0 +1,181 @@
+/*
+ * The Initial Developer of the Original Code is International
+ * Business Machines Corporation. Portions created by IBM
+ * Corporation are Copyright (C) 2005, 2006 International Business
+ * Machines Corporation. All Rights Reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the Common Public License as published by
+ * IBM Corporation; either version 1 of the License, or (at your option)
+ * any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * Common Public License for more details.
+ *
+ * You should have received a copy of the Common Public License
+ * along with this program; if not, a copy can be viewed at
+ * http://www.opensource.org/licenses/cpl1.0.php.
+ */
+#include <openssl/evp.h>
+#include <openssl/sha.h>
+#include <limits.h>
+#include "tpm_tspi.h"
+#include "tpm_utils.h"
+#include "tpm_seal.h"
+
+// #define TPM_EXTENDPCR_DEBUG
+
+static void help(const char *aCmd)
+{
+ logCmdHelp(aCmd);
+ logCmdOption("-i, --infile FILE",
+ _
+ ("Filename containing data to extend PCRs with. Default is STDIN."));
+ logCmdOption("-p, --pcr NUMBER",
+ _("PCR to extend."));
+
+}
+
+static char in_filename[PATH_MAX] = "";
+static TSS_HPCRS hPcrs = NULL_HPCRS;
+static TSS_HTPM hTpm;
+static UINT32 selectedPcrs[24];
+static UINT32 selectedPcrsLen = 0;
+TSS_HCONTEXT hContext = 0;
+
+static int parse(const int aOpt, const char *aArg)
+{
+ int rc = -1;
+
+ switch (aOpt) {
+ case 'i':
+ if (aArg) {
+ strncpy(in_filename, aArg, PATH_MAX);
+ rc = 0;
+ }
+ break;
+ case 'p':
+ if (aArg) {
+ selectedPcrs[selectedPcrsLen++] = atoi(aArg);
+ rc = 0;
+ }
+ break;
+ default:
+ break;
+ }
+ return rc;
+
+}
+
+int main(int argc, char **argv)
+{
+
+ int iRc = -1;
+ struct option opts[] = {
+ {"infile", required_argument, NULL, 'i'},
+ {"pcr", required_argument, NULL, 'p'},
+ };
+ unsigned char line[EVP_MD_block_size(EVP_sha1()) * 16];
+ int lineLen;
+ UINT32 i;
+
+ BIO *bin = NULL;
+
+ initIntlSys();
+
+ if (genericOptHandler(argc, argv, "i:p:", opts,
+ sizeof(opts) / sizeof(struct option), parse,
+ help) != 0)
+ goto out;
+
+ if (contextCreate(&hContext) != TSS_SUCCESS)
+ goto out;
+
+ if (contextConnect(hContext) != TSS_SUCCESS)
+ goto out_close;
+
+ if (contextGetTpm(hContext, &hTpm) != TSS_SUCCESS)
+ goto out_close;
+
+ /* Create a BIO for the input file */
+ if ((bin = BIO_new(BIO_s_file())) == NULL) {
+ logError(_("Unable to open input BIO\n"));
+ goto out_close;
+ }
+
+ /* Assign the input file to the BIO */
+ if (strlen(in_filename) == 0)
+ BIO_set_fp(bin, stdin, BIO_NOCLOSE);
+ else if (!BIO_read_filename(bin, in_filename)) {
+ logError(_("Unable to open input file: %s\n"),
+ in_filename);
+ goto out_close;
+ }
+
+ /* Create the PCRs object. If any PCRs above 15 are selected, this will need to be
+ * a 1.2 TSS/TPM */
+ if (selectedPcrsLen) {
+ TSS_FLAG initFlag = 0;
+ UINT32 pcrSize;
+ BYTE *pcrValue;
+
+ for (i = 0; i < selectedPcrsLen; i++) {
+ if (selectedPcrs[i] > 15) {
+#ifdef TSS_LIB_IS_12
+ initFlag |= TSS_PCRS_STRUCT_INFO_LONG;
+#else
+ logError(_("This version of %s was compiled for a v1.1 TSS, which "
+ "can only seal\n data to PCRs 0-15. PCR %u is out of range"
+ "\n"), argv[0], selectedPcrs[i]);
+ goto out_close;
+#endif
+ }
+ }
+
+ unsigned char msg[EVP_MAX_MD_SIZE];
+ unsigned int msglen;
+ EVP_MD_CTX ctx;
+ EVP_DigestInit(&ctx, EVP_sha1());
+ while ((lineLen = BIO_read(bin, line, sizeof(line))) > 0)
+ EVP_DigestUpdate(&ctx, line, lineLen);
+ EVP_DigestFinal(&ctx, msg, &msglen);
+
+ if (contextCreateObject(hContext, TSS_OBJECT_TYPE_PCRS, initFlag,
+ &hPcrs) != TSS_SUCCESS)
+ goto out_close;
+
+ for (i = 0; i < selectedPcrsLen; i++) {
+#ifdef TPM_EXTENDPCR_DEBUG
+ if (tpmPcrRead(hTpm, selectedPcrs[i], &pcrSize, &pcrValue) != TSS_SUCCESS)
+ goto out_close;
+
+ unsigned int j;
+ for (j = 0; j < pcrSize; j++)
+ printf("%02X ", pcrValue[j]);
+ printf("\n");
+#endif
+
+ if (tpmPcrExtend(hTpm, selectedPcrs[i], msglen, msg, NULL, &pcrSize, &pcrValue) != TSS_SUCCESS)
+ goto out_close;
+
+#ifdef TPM_EXTENDPCR_DEBUG
+ for (j = 0; j < pcrSize; j++)
+ printf("%02X ", pcrValue[j]);
+ printf("\n");
+#endif
+ }
+ }
+
+ iRc = 0;
+ logSuccess(argv[0]);
+
+out_close:
+ contextClose(hContext);
+
+out:
+ if (bin)
+ BIO_free(bin);
+ return iRc;
+}
meta-security/meta-tpm/recipes-tpm1/tpm-tools/tpm-tools_1.3.9.2.bb
+35
View File
@@ -0,0 +1,35 @@
SUMMARY = "The tpm-tools package contains commands to allow the platform administrator the ability to manage and diagnose the platform's TPM."
DESCRIPTION = " \
The tpm-tools package contains commands to allow the platform administrator \
the ability to manage and diagnose the platform's TPM. Additionally, the \
package contains commands to utilize some of the capabilities available \
in the TPM PKCS#11 interface implemented in the openCryptoki project. \
"
SECTION = "tpm"
LICENSE = "CPL-1.0"
LIC_FILES_CHKSUM = "file://LICENSE;md5=059e8cd6165cb4c31e351f2b69388fd9"
DEPENDS = "libtspi openssl perl-native"
DEPENDS:class-native = "trousers-native"
SRCREV = "bf43837575c5f7d31865562dce7778eae970052e"
SRC_URI = " \
git://git.code.sf.net/p/trousers/tpm-tools;branch=master \
file://tpm-tools-extendpcr.patch \
file://04-fix-FTBFS-clang.patch \
file://openssl1.1_fix.patch \
"
inherit autotools-brokensep gettext
S = "${WORKDIR}/git"
do_configure:prepend () {
mkdir -p po
mkdir -p m4
cp -R po_/* po/
touch po/Makefile.in.in
touch m4/Makefile.am
}
BBCLASSEXTEND = "native"
meta-security/meta-tpm/recipes-tpm1/trousers/files/0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch
+68
View File
@@ -0,0 +1,68 @@
From 3396fc7a184293c23135161f034802062f7f3816 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9=20Draszik?= <adraszik@tycoint.com>
Date: Wed, 1 Nov 2017 11:41:48 +0000
Subject: [PATCH] build: don't override --localstatedir --mandir --sysconfdir
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
It is currently impossible to override localstatedir,
mandir and sysconfdir during ./configure, because they
are being overriden unconditionally because of they
way trousers is built using rpmbuild.
If they need massaging for rpmbuild, the values should
be specified inside the spec file, not in ./configure
and thereby overriding user-requested values.
With this patch it is now possible to set above
locations as needed. The .spec file is being modified
as well so as to restore previous behaviour.
Signed-off-by: André Draszik <adraszik@tycoint.com>
---
Upstream-Status: Submitted [https://sourceforge.net/p/trousers/mailman/message/36099290/]
Signed-off-by: André Draszik <adraszik@tycoint.com>
configure.ac | 11 ++---------
dist/trousers.spec.in | 2 +-
2 files changed, 3 insertions(+), 10 deletions(-)
diff --git a/configure.ac b/configure.ac
index b9626af..7fe5f8e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -376,16 +376,9 @@ CFLAGS="$CFLAGS -I../include \
KERNEL_VERSION=`uname -r`
AC_SUBST(CFLAGS)
-# When we build the rpms, prefix will be /usr. This'll do some things that make sense,
-# like put our sbin stuff in /usr/sbin and our library in /usr/lib. It'll do some other
-# things that don't make sense like put our config file in /usr/etc. So, I'll just hack
-# it here. If the --prefix option isn't specified during configure, let it all go to
+# If the --prefix option isn't specified during configure, let it all go to
# /usr/local, even /usr/local/etc. :-P
-if test x"${prefix}" = x"/usr"; then
- sysconfdir="/etc"
- localstatedir="/var"
- mandir="/usr/share/man"
-elif test x"${prefix}" = x"NONE"; then
+if test x"${prefix}" = x"NONE"; then
localstatedir="/usr/local/var"
fi
diff --git a/dist/trousers.spec.in b/dist/trousers.spec.in
index b298b0e..10ef178 100644
--- a/dist/trousers.spec.in
+++ b/dist/trousers.spec.in
@@ -45,7 +45,7 @@ applications.
%build
%{?arch64:export PKG_CONFIG_PATH=%{pkgconfig_path}:$PKG_CONFIG_PATH}
-./configure --prefix=/usr --libdir=%{_libdir}
+./configure --prefix=/usr --libdir=%{_libdir} --sysconfdir=/etc --localstatedir=/var --mandir=/usr/share/man
make
%clean
--
2.15.0.rc1
meta-security/meta-tpm/recipes-tpm1/trousers/files/get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch
+49
View File
@@ -0,0 +1,49 @@
trousers: fix compiling with musl
use POSIX getpwent instead of getpwent_r
Upstream-Status: Submitted
Signed-off-by: Armin Kuster <akuster@mvista.com>
Index: git/src/tspi/ps/tspps.c
===================================================================
--- git.orig/src/tspi/ps/tspps.c
+++ git/src/tspi/ps/tspps.c
@@ -66,9 +66,6 @@ get_user_ps_path(char **file)
TSS_RESULT result;
char *file_name = NULL, *home_dir = NULL;
struct passwd *pwp;
-#if (defined (__linux) || defined (linux) || defined(__GLIBC__))
- struct passwd pw;
-#endif
struct stat stat_buf;
char buf[PASSWD_BUFSIZE];
uid_t euid;
@@ -96,24 +93,15 @@ get_user_ps_path(char **file)
#else
setpwent();
while (1) {
-#if (defined (__linux) || defined (linux) || defined(__GLIBC__))
- rc = getpwent_r(&pw, buf, PASSWD_BUFSIZE, &pwp);
- if (rc) {
- LogDebugFn("USER PS: Error getting path to home directory: getpwent_r: %s",
- strerror(rc));
- endpwent();
- return TSPERR(TSS_E_INTERNAL_ERROR);
- }
-
-#elif (defined (__FreeBSD__) || defined (__OpenBSD__))
if ((pwp = getpwent()) == NULL) {
LogDebugFn("USER PS: Error getting path to home directory: getpwent: %s",
strerror(rc));
endpwent();
+#if (defined (__FreeBSD__) || defined (__OpenBSD__))
MUTEX_UNLOCK(user_ps_path);
+#endif
return TSPERR(TSS_E_INTERNAL_ERROR);
}
-#endif
if (euid == pwp->pw_uid) {
home_dir = strdup(pwp->pw_dir);
break;
meta-security/meta-tpm/recipes-tpm1/trousers/files/tcsd.service
+10
View File
@@ -0,0 +1,10 @@
[Unit]
Description=TCG Core Services Daemon
After=syslog.target
[Service]
Type=forking
ExecStart=@SBINDIR@/tcsd
[Install]
WantedBy=multi-user.target
meta-security/meta-tpm/recipes-tpm1/trousers/files/trousers-udev.rules
+2
View File
@@ -0,0 +1,2 @@
# trousers daemon expects tpm device to be owned by tss user & group
KERNEL=="tpm[0-9]*", MODE="0600", OWNER="tss", GROUP="tss"
meta-security/meta-tpm/recipes-tpm1/trousers/files/trousers.init.sh
+67
View File
@@ -0,0 +1,67 @@
#!/bin/sh
### BEGIN INIT INFO
# Provides: tcsd trousers
# Required-Start: $local_fs $remote_fs $network
# Required-Stop: $local_fs $remote_fs $network
# Should-Start:
# Should-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: starts tcsd
# Description: tcsd belongs to the TrouSerS TCG Software Stack
### END INIT INFO
PATH=/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/sbin/tcsd
NAME=tcsd
DESC="Trusted Computing daemon"
USER="tss"
test -x "${DAEMON}" || exit 0
# Read configuration variable file if it is present
[ -r /etc/default/$NAME ] && . /etc/default/$NAME
case "${1}" in
start)
echo "Starting $DESC: "
if [ ! -e /dev/tpm* ]
then
echo "device driver not loaded, skipping."
exit 0
fi
start-stop-daemon --start --quiet --oknodo \
--pidfile /var/run/${NAME}.pid --make-pidfile --background \
--user ${USER} --chuid ${USER} \
--exec ${DAEMON} -- ${DAEMON_OPTS} --foreground
RETVAL="$?"
echo "$NAME."
exit $RETVAL
;;
stop)
echo "Stopping $DESC: "
start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/${NAME}.pid --user ${USER} --exec ${DAEMON}
RETVAL="$?"
echo "$NAME."
rm -f /var/run/${NAME}.pid
exit $RETVAL
;;
restart|force-reload)
"${0}" stop
sleep 1
"${0}" start
exit $?
;;
*)
echo "Usage: ${NAME} {start|stop|restart|force-reload|status}" >&2
exit 3
;;
esac
exit 0
meta-security/meta-tpm/recipes-tpm1/trousers/trousers_git.bb
+120
View File
@@ -0,0 +1,120 @@
SUMMARY = "TrouSerS - An open-source TCG Software Stack implementation."
LICENSE = "BSD-3-Clause"
HOMEPAGE = "http://sourceforge.net/projects/trousers/"
LIC_FILES_CHKSUM = "file://README;startline=3;endline=4;md5=2af28fbed0832e4d83a9e6dd68bb4413"
SECTION = "security/tpm"
DEPENDS = "openssl"
SRCREV = "94144b0a1dcef6e31845d6c319e9bd7357208eb9"
PV = "0.3.15+git${SRCPV}"
SRC_URI = " \
git://git.code.sf.net/p/trousers/trousers;branch=master \
file://trousers.init.sh \
file://trousers-udev.rules \
file://tcsd.service \
file://get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch \
file://0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch \
"
S = "${WORKDIR}/git"
inherit autotools pkgconfig useradd update-rc.d ${@bb.utils.contains('VIRTUAL-RUNTIME_init_manager','systemd','systemd','', d)}
PACKAGECONFIG ?= "gmp "
PACKAGECONFIG[gmp] = "--with-gmp, --with-gmp=no, gmp"
PACKAGECONFIG[gtk] = "--with-gui=gtk, --with-gui=none, gtk+"
do_install () {
oe_runmake DESTDIR=${D} install
}
do_install:append() {
install -d ${D}${sysconfdir}/init.d
install -m 0755 ${WORKDIR}/trousers.init.sh ${D}${sysconfdir}/init.d/trousers
install -d ${D}${sysconfdir}/udev/rules.d
install -m 0644 ${WORKDIR}/trousers-udev.rules ${D}${sysconfdir}/udev/rules.d/45-trousers.rules
if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
install -d ${D}${systemd_unitdir}/system
install -m 0644 ${WORKDIR}/tcsd.service ${D}${systemd_unitdir}/system/
sed -i -e 's#@SBINDIR@#${sbindir}#g' ${D}${systemd_unitdir}/system/tcsd.service
fi
}
CONFFILES:${PN} += "${sysconfig}/tcsd.conf"
PROVIDES = "${PACKAGES}"
PACKAGES = " \
libtspi \
libtspi-dbg \
libtspi-dev \
libtspi-doc \
libtspi-staticdev \
trousers \
trousers-dbg \
trousers-doc \
"
# libtspi needs tcsd for most (all?) operations, so suggest to
# install that.
RRECOMMENDS:libtspi = "${PN}"
FILES:libtspi = " \
${libdir}/*.so.1 \
${libdir}/*.so.1.2.0 \
"
FILES:libtspi-dbg = " \
${libdir}/.debug \
${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/tspi \
${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/trspi \
${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/include/*.h \
${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/include/tss \
"
FILES:libtspi-dev = " \
${includedir} \
${libdir}/*.so \
"
FILES:libtspi-doc = " \
${mandir}/man3 \
"
FILES:libtspi-staticdev = " \
${libdir}/*.la \
${libdir}/*.a \
"
FILES:${PN} = " \
${sbindir}/tcsd \
${sysconfdir} \
${localstatedir} \
"
FILES:${PN}-dev += "${libdir}/trousers"
FILES:${PN}-dbg = " \
${sbindir}/.debug \
${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/tcs \
${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/tcsd \
${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/tddl \
${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/trousers \
${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/include/trousers \
"
FILES:${PN}-doc = " \
${mandir}/man5 \
${mandir}/man8 \
"
FILES:${PN} += "${systemd_unitdir}/*"
INITSCRIPT_NAME = "trousers"
INITSCRIPT_PARAMS = "start 99 2 3 4 5 . stop 19 0 1 6 ."
USERADD_PACKAGES = "${PN}"
GROUPADD_PARAM:${PN} = "--system tss"
USERADD_PARAM:${PN} = "--system -M -d /var/lib/tpm -s /bin/false -g tss tss"
SYSTEMD_PACKAGES = "${PN}"
SYSTEMD_SERVICE:${PN} = "tcsd.service"
SYSTEMD_AUTO_ENABLE = "disable"
BBCLASSEXTEND = "native"
meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/tune-makefile.patch
+51
View File
@@ -0,0 +1,51 @@
1) Allow recipe to overide optimization.
fixes:
397 | # warning _FORTIFY_SOURCE requires compiling with optimization (-O)
| | ^~~~~~~
| cc1: all warnings being treated as errors
2) Allow recipe to override OE related compile-/link-flags
fixes:
ERROR: QA Issue: File /usr/bin/tpm_server in package ibmswtpm2 doesn't have GNU_HASH (didn't pass LDFLAGS?) [ldflags]
Upstream-Status: Inappropriate [OE specific]
Signed-off-by: Jens Rehsack <sno@NetBSD.org>
Index: src/makefile
===================================================================
--- src.orig/makefile
+++ src/makefile
@@ -38,13 +38,11 @@
#################################################################################
-CC = /usr/bin/gcc
-
CCFLAGS = -Wall \
-Wmissing-declarations -Wmissing-prototypes -Wnested-externs \
-Werror -Wsign-compare \
-Wno-deprecated-declarations \
- -c -ggdb -O0 \
+ -c -ggdb -O \
-DTPM_POSIX \
-D_POSIX_ \
-DTPM_NUVOTON
@@ -80,11 +78,11 @@ TcpServerPosix.o : $(HEADERS)
.PRECIOUS: %.o
tpm_server: $(OBJFILES)
- $(CC) $(OBJFILES) $(LNFLAGS) -o tpm_server
+ $(CCLD) $(OBJFILES) $(LDFLAGS) $(LNFLAGS) -o tpm_server
clean:
rm -f *.o tpm_server *~
%.o: %.c
- $(CC) $(CCFLAGS) $< -o $@
+ $(CC) $(CCFLAGS) $(CFLAGS) $< -o $@
meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_164-2020-192.1.bb
+37
View File
@@ -0,0 +1,37 @@
SUMMARY = "IBM's Software TPM 2.0"
DESCRIPTION = "The software TPM 2.0 is targeted toward application development, \
education, and virtualization. \
\
The intent is that an application can be developed using the software TPM. \
The application should then run using a hardware TPM without changes. \
Advantages of this approach: \
* In contrast to a hardware TPM, it runs on many platforms and it's generally faster. \
* Application software errors are easily reversed by simply removing the TPM state and starting over. \
* Difficult crypto errors are quickly debugged by looking inside the TPM."
HOMEPAGE = "http://ibmswtpm.sourceforge.net/ibmswtpm2.html"
LICENSE = "BSD-2-Clause"
SECTION = "securty/tpm"
LIC_FILES_CHKSUM = "file://../LICENSE;md5=1e023f61454ac828b4aa1bc4293f7d5f"
LIC_FILES_CHKSUM += "file://LICENSE;md5=c75e465155c42c14154bf6a2acb7347b"
DEPENDS = "openssl"
SRC_URI = "git://git.code.sf.net/p/ibmswtpm2/tpm2;protocol=https;branch=master \
file://tune-makefile.patch \
"
SRCREV = "5452af422edeff70fcae8ea99dd28a0922051d7b"
UPSTREAM_CHECK_URI = "https://git.code.sf.net/p/ibmswtpm2/tpm2"
S = "${WORKDIR}/git/src"
CFLAGS += "-Wno-error=maybe-uninitialized -DALG_CAMELLIA=ALG_NO"
do_compile () {
make CC='${CC}'
}
do_install () {
install -d ${D}/${bindir}
install -m 0755 tpm_server ${D}/${bindir}
}
meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss/0001-utils-12-Makefile.am-expand-wildcards-in-prereqs.patch
+121
View File
@@ -0,0 +1,121 @@
From 26091b7830d84a12308442b238652ee9475d407b Mon Sep 17 00:00:00 2001
From: Jens Rehsack <sno@netbsd.org>
Date: Fri, 11 Sep 2020 07:46:41 +0200
Subject: [PATCH] utils{,12}/Makefile.am: expand wildcards in prereqs
Expand wildcards of required sources to avoid errors like:
make[2]: *** No rule to make target 'man/man1/*.1', needed by 'all-am'. Stop.
make[2]: *** Waiting for unfinished jobs....
Upstream-Status: Submitted
Signed-off-by: Jens Rehsack <sno@netbsd.org>
---
utils/Makefile.am | 75 +++++++++++++++++++++++++++++++++++++++++++--
utils12/Makefile.am | 8 ++++-
2 files changed, 79 insertions(+), 4 deletions(-)
Index: git/utils/Makefile.am
===================================================================
--- git.orig/utils/Makefile.am
+++ git/utils/Makefile.am
@@ -85,9 +85,78 @@ libibmtssutils_la_LIBADD = libibmtss.la
noinst_HEADERS = CommandAttributes.h imalib.h tssdev.h ntc2lib.h tssntc.h Commands_fp.h objecttemplates.h tssproperties.h cryptoutils.h Platform.h tssauth.h tsssocket.h ekutils.h eventlib.h efilib.h tssccattributes.h
# install every header in ibmtss
-nobase_include_HEADERS = ibmtss/*.h
+nobase_include_HEADERS = ibmtss/ActivateCredential_fp.h ibmtss/ActivateIdentity_fp.h ibmtss/BaseTypes.h \
+ ibmtss/CertifyCreation_fp.h ibmtss/Certify_fp.h ibmtss/CertifyX509_fp.h ibmtss/ChangeEPS_fp.h \
+ ibmtss/ChangePPS_fp.h ibmtss/ClearControl_fp.h ibmtss/Clear_fp.h ibmtss/ClockRateAdjust_fp.h \
+ ibmtss/ClockSet_fp.h ibmtss/Commit_fp.h ibmtss/ContextLoad_fp.h ibmtss/ContextSave_fp.h \
+ ibmtss/CreateEndorsementKeyPair_fp.h ibmtss/Create_fp.h ibmtss/CreateLoaded_fp.h \
+ ibmtss/CreatePrimary_fp.h ibmtss/CreateWrapKey_fp.h ibmtss/DictionaryAttackLockReset_fp.h \
+ ibmtss/DictionaryAttackParameters_fp.h ibmtss/Duplicate_fp.h ibmtss/ECC_Parameters_fp.h \
+ ibmtss/ECDH_KeyGen_fp.h ibmtss/ECDH_ZGen_fp.h ibmtss/EC_Ephemeral_fp.h ibmtss/EncryptDecrypt2_fp.h \
+ ibmtss/EncryptDecrypt_fp.h ibmtss/EventSequenceComplete_fp.h ibmtss/EvictControl_fp.h ibmtss/Extend_fp.h \
+ ibmtss/FlushContext_fp.h ibmtss/FlushSpecific_fp.h ibmtss/GetCapability12_fp.h ibmtss/GetCapability_fp.h \
+ ibmtss/GetCommandAuditDigest_fp.h ibmtss/GetRandom_fp.h ibmtss/GetSessionAuditDigest_fp.h \
+ ibmtss/GetTestResult_fp.h ibmtss/GetTime_fp.h ibmtss/Hash_fp.h ibmtss/HashSequenceStart_fp.h \
+ ibmtss/HierarchyChangeAuth_fp.h ibmtss/HierarchyControl_fp.h ibmtss/HMAC_fp.h ibmtss/HMAC_Start_fp.h \
+ ibmtss/Implementation.h ibmtss/Import_fp.h ibmtss/IncrementalSelfTest_fp.h ibmtss/LoadExternal_fp.h \
+ ibmtss/Load_fp.h ibmtss/LoadKey2_fp.h ibmtss/MakeCredential_fp.h ibmtss/MakeIdentity_fp.h ibmtss/NTC_fp.h \
+ ibmtss/NV_Certify_fp.h ibmtss/NV_ChangeAuth_fp.h ibmtss/NV_DefineSpace12_fp.h ibmtss/NV_DefineSpace_fp.h \
+ ibmtss/NV_Extend_fp.h ibmtss/NV_GlobalWriteLock_fp.h ibmtss/NV_Increment_fp.h ibmtss/NV_Read_fp.h \
+ ibmtss/NV_ReadLock_fp.h ibmtss/NV_ReadPublic_fp.h ibmtss/NV_ReadValueAuth_fp.h ibmtss/NV_ReadValue_fp.h \
+ ibmtss/NV_SetBits_fp.h ibmtss/NV_UndefineSpace_fp.h ibmtss/NV_UndefineSpaceSpecial_fp.h ibmtss/NV_Write_fp.h \
+ ibmtss/NV_WriteLock_fp.h ibmtss/NV_WriteValueAuth_fp.h ibmtss/NV_WriteValue_fp.h ibmtss/ObjectChangeAuth_fp.h \
+ ibmtss/OIAP_fp.h ibmtss/OSAP_fp.h ibmtss/OwnerReadInternalPub_fp.h ibmtss/OwnerSetDisable_fp.h \
+ ibmtss/Parameters12.h ibmtss/Parameters.h ibmtss/PCR_Allocate_fp.h ibmtss/PCR_Event_fp.h ibmtss/PCR_Extend_fp.h \
+ ibmtss/PcrRead12_fp.h ibmtss/PCR_Read_fp.h ibmtss/PCR_Reset12_fp.h ibmtss/PCR_Reset_fp.h ibmtss/PCR_SetAuthPolicy_fp.h \
+ ibmtss/PCR_SetAuthValue_fp.h ibmtss/PolicyAuthorize_fp.h ibmtss/PolicyAuthorizeNV_fp.h ibmtss/PolicyAuthValue_fp.h \
+ ibmtss/PolicyCommandCode_fp.h ibmtss/PolicyCounterTimer_fp.h ibmtss/PolicyCpHash_fp.h ibmtss/PolicyDuplicationSelect_fp.h \
+ ibmtss/PolicyGetDigest_fp.h ibmtss/PolicyLocality_fp.h ibmtss/PolicyNameHash_fp.h ibmtss/PolicyNV_fp.h \
+ ibmtss/PolicyNvWritten_fp.h ibmtss/PolicyOR_fp.h ibmtss/PolicyPassword_fp.h ibmtss/PolicyPCR_fp.h \
+ ibmtss/PolicyPhysicalPresence_fp.h ibmtss/PolicyRestart_fp.h ibmtss/PolicySecret_fp.h ibmtss/PolicySigned_fp.h \
+ ibmtss/PolicyTemplate_fp.h ibmtss/PolicyTicket_fp.h ibmtss/PP_Commands_fp.h ibmtss/Quote2_fp.h ibmtss/Quote_fp.h \
+ ibmtss/ReadClock_fp.h ibmtss/ReadPubek_fp.h ibmtss/ReadPublic_fp.h ibmtss/Rewrap_fp.h ibmtss/RSA_Decrypt_fp.h \
+ ibmtss/RSA_Encrypt_fp.h ibmtss/SelfTest_fp.h ibmtss/SequenceComplete_fp.h ibmtss/SequenceUpdate_fp.h \
+ ibmtss/SetAlgorithmSet_fp.h ibmtss/SetCommandCodeAuditStatus_fp.h ibmtss/SetPrimaryPolicy_fp.h ibmtss/Shutdown_fp.h \
+ ibmtss/Sign12_fp.h ibmtss/Sign_fp.h ibmtss/StartAuthSession_fp.h ibmtss/Startup12_fp.h ibmtss/Startup_fp.h \
+ ibmtss/StirRandom_fp.h ibmtss/TakeOwnership_fp.h ibmtss/TestParms_fp.h ibmtss/TPMB.h ibmtss/TpmBuildSwitches.h \
+ ibmtss/tpmconstants12.h ibmtss/tpmstructures12.h ibmtss/tpmtypes12.h ibmtss/TPM_Types.h ibmtss/tsscrypto.h \
+ ibmtss/tsscryptoh.h ibmtss/tsserror12.h ibmtss/tsserror.h ibmtss/tssfile.h ibmtss/tss.h ibmtss/tssmarshal12.h \
+ ibmtss/tssmarshal.h ibmtss/tssprintcmd.h ibmtss/tssprint.h ibmtss/tssresponsecode.h ibmtss/tsstransmit.h \
+ ibmtss/tssutils.h ibmtss/Unmarshal12_fp.h ibmtss/Unmarshal_fp.h ibmtss/Unseal_fp.h ibmtss/VerifySignature_fp.h \
+ ibmtss/ZGen_2Phase_fp.h
-notrans_man_MANS = man/man1/*.1
+notrans_man_MANS = man/man1/tssactivatecredential.1 man/man1/tsscertify.1 man/man1/tsscertifycreation.1 \
+ man/man1/tsscertifyx509.1 man/man1/tsschangeeps.1 man/man1/tsschangepps.1 man/man1/tssclear.1 \
+ man/man1/tssclearcontrol.1 man/man1/tssclockrateadjust.1 man/man1/tssclockset.1 man/man1/tsscommit.1 \
+ man/man1/tsscontextload.1 man/man1/tsscontextsave.1 man/man1/tsscreate.1 man/man1/tsscreateek.1 \
+ man/man1/tsscreateekcert.1 man/man1/tsscreateloaded.1 man/man1/tsscreateprimary.1 \
+ man/man1/tssdictionaryattacklockreset.1 man/man1/tssdictionaryattackparameters.1 man/man1/tssduplicate.1 \
+ man/man1/tsseccparameters.1 man/man1/tssecephemeral.1 man/man1/tssencryptdecrypt.1 man/man1/tsseventextend.1 \
+ man/man1/tsseventsequencecomplete.1 man/man1/tssevictcontrol.1 man/man1/tssflushcontext.1 man/man1/tssgetcapability.1 \
+ man/man1/tssgetcommandauditdigest.1 man/man1/tssgetcryptolibrary.1 man/man1/tssgetrandom.1 \
+ man/man1/tssgetsessionauditdigest.1 man/man1/tssgettestresult.1 man/man1/tssgettime.1 man/man1/tsshash.1 \
+ man/man1/tsshashsequencestart.1 man/man1/tsshierarchychangeauth.1 man/man1/tsshierarchycontrol.1 \
+ man/man1/tsshmac.1 man/man1/tsshmacstart.1 man/man1/tssimaextend.1 man/man1/tssimport.1 man/man1/tssimportpem.1 \
+ man/man1/tssload.1 man/man1/tssloadexternal.1 man/man1/tssmakecredential.1 man/man1/tssntc2getconfig.1 \
+ man/man1/tssntc2lockconfig.1 man/man1/tssntc2preconfig.1 man/man1/tssnvcertify.1 man/man1/tssnvchangeauth.1 \
+ man/man1/tssnvdefinespace.1 man/man1/tssnvextend.1 man/man1/tssnvglobalwritelock.1 man/man1/tssnvincrement.1 \
+ man/man1/tssnvread.1 man/man1/tssnvreadlock.1 man/man1/tssnvreadpublic.1 man/man1/tssnvsetbits.1 \
+ man/man1/tssnvundefinespace.1 man/man1/tssnvundefinespacespecial.1 man/man1/tssnvwrite.1 man/man1/tssnvwritelock.1 \
+ man/man1/tssobjectchangeauth.1 man/man1/tsspcrallocate.1 man/man1/tsspcrevent.1 man/man1/tsspcrextend.1 \
+ man/man1/tsspcrread.1 man/man1/tsspcrreset.1 man/man1/tsspolicyauthorize.1 man/man1/tsspolicyauthorizenv.1 \
+ man/man1/tsspolicyauthvalue.1 man/man1/tsspolicycommandcode.1 man/man1/tsspolicycountertimer.1 \
+ man/man1/tsspolicycphash.1 man/man1/tsspolicyduplicationselect.1 man/man1/tsspolicygetdigest.1 \
+ man/man1/tsspolicymaker.1 man/man1/tsspolicymakerpcr.1 man/man1/tsspolicynamehash.1 man/man1/tsspolicynv.1 \
+ man/man1/tsspolicynvwritten.1 man/man1/tsspolicyor.1 man/man1/tsspolicypassword.1 man/man1/tsspolicypcr.1 \
+ man/man1/tsspolicyrestart.1 man/man1/tsspolicysecret.1 man/man1/tsspolicysigned.1 man/man1/tsspolicytemplate.1 \
+ man/man1/tsspolicyticket.1 man/man1/tsspowerup.1 man/man1/tssprintattr.1 man/man1/tsspublicname.1 \
+ man/man1/tssquote.1 man/man1/tssreadclock.1 man/man1/tssreadpublic.1 man/man1/tssreturncode.1 \
+ man/man1/tssrewrap.1 man/man1/tssrsadecrypt.1 man/man1/tssrsaencrypt.1 man/man1/tsssequencecomplete.1 \
+ man/man1/tsssequenceupdate.1 man/man1/tsssetcommandcodeauditstatus.1 man/man1/tsssetprimarypolicy.1 \
+ man/man1/tssshutdown.1 man/man1/tsssign.1 man/man1/tsssignapp.1 man/man1/tssstartauthsession.1 \
+ man/man1/tssstartup.1 man/man1/tssstirrandom.1 man/man1/tsstimepacket.1 man/man1/tsstpm2pem.1 \
+ man/man1/tsstpmcmd.1 man/man1/tsstpmpublic2eccpoint.1 man/man1/tssunseal.1 man/man1/tssverifysignature.1 \
+ man/man1/tsswriteapp.1 man/man1/tsszgen2phase.1
if CONFIG_TPM20
noinst_HEADERS += tss20.h tssauth20.h ibmtss/tssprintcmd.h
Index: git/utils12/Makefile.am
===================================================================
--- git.orig/utils12/Makefile.am
+++ git/utils12/Makefile.am
@@ -9,7 +9,13 @@ libibmtssutils12_la_CFLAGS = -I$(top_src
# result: [current-age].age.revision
libibmtssutils12_la_LDFLAGS = -version-info @TSSLIB_VERSION_INFO@ ../utils/libibmtss.la
-notrans_man_MANS = man/man1/*.1
+notrans_man_MANS = man/man1/tss1activateidentity.1 man/man1/tss1createekcert.1 man/man1/tss1createendorsementkeypair.1 \
+ man/man1/tss1createwrapkey.1 man/man1/tss1eventextend.1 man/man1/tss1extend.1 man/man1/tss1flushspecific.1 \
+ man/man1/tss1getcapability.1 man/man1/tss1imaextend.1 man/man1/tss1loadkey2.1 man/man1/tss1makeekblob.1 \
+ man/man1/tss1makeidentity.1 man/man1/tss1nvdefinespace.1 man/man1/tss1nvreadvalue.1 man/man1/tss1nvreadvalueauth.1 \
+ man/man1/tss1nvwritevalue.1 man/man1/tss1nvwritevalueauth.1 man/man1/tss1oiap.1 man/man1/tss1osap.1 \
+ man/man1/tss1ownerreadinternalpub.1 man/man1/tss1ownersetdisable.1 man/man1/tss1pcrread.1 man/man1/tss1quote2.1 \
+ man/man1/tss1sign.1 man/man1/tss1startup.1 man/man1/tss1takeownership.1 man/man1/tss1tpminit.1
noinst_HEADERS = ekutils12.h
bin_PROGRAMS = activateidentity createendorsementkeypair createwrapkey extend flushspecific getcapability loadkey2 makeidentity nvdefinespace nvreadvalueauth nvreadvalue nvwritevalueauth nvwritevalue oiap osap ownerreadinternalpub ownersetdisable pcrread quote2 sign startup takeownership tpminit createekcert makeekblob eventextend imaextend
meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1661.bb
+31
View File
@@ -0,0 +1,31 @@
SUMMARY = "IBM's Software TPM 2.0 TSS"
DESCRIPTION = "This is a user space TSS for TPM 2.0. It implements the \
functionality equivalent to (but not API compatible with) the TCG TSS \
working group's ESAPI, SAPI, and TCTI API's (and perhaps more) but with a \
hopefully simpler interface. \
It comes with over 110 'TPM tools' samples that can be used for scripted \
apps, rapid prototyping, education, and debugging. \
It also comes with a web based TPM interface, suitable for a demo to an \
audience that is unfamiliar with TCG technology. It is also useful for \
basic TPM management."
HOMEPAGE = "http://ibmswtpm.sourceforge.net/ibmtss2.html"
LICENSE = "BSD-2-Clause"
SECTION = "securty/tpm"
LIC_FILES_CHKSUM = "file://LICENSE;md5=1e023f61454ac828b4aa1bc4293f7d5f"
DEPENDS = "openssl ibmswtpm2"
inherit autotools pkgconfig
SRCREV = "c4e131e34ec0ed09411aa3bc76f76129ef881573"
SRC_URI = "git://git.code.sf.net/p/ibmtpm20tss/tss;protocol=https;branch=master \
file://0001-utils-12-Makefile.am-expand-wildcards-in-prereqs.patch \
"
UPSTREAM_CHECK_COMMITS = "1"
UPSTREAM_CHECK_URI = "https://git.code.sf.net/p/ibmswtpm2/tpm2"
UPSTREAM_CHECK_GITTAGREGEX = "rev.*)"
EXTRA_OECONF = "--disable-tpm-1.2"
S = "${WORKDIR}/git"
meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/files/tpm2-abrmd-init.sh
+65
View File
@@ -0,0 +1,65 @@
#!/bin/sh
### BEGIN INIT INFO
# Provides: tpm2-abrmd
# Required-Start: $local_fs $remote_fs $network
# Required-Stop: $local_fs $remote_fs $network
# Should-Start:
# Should-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: starts tpm2-abrmd
# Description: tpm2-abrmd implements the TCG resource manager
### END INIT INFO
PATH=/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/sbin/tpm2-abrmd
NAME=tpm2-abrmd
DESC="TCG TSS2 Access Broker and Resource Management daemon"
USER="tss"
test -x "${DAEMON}" || exit 0
# Read configuration variable file if it is present
[ -r /etc/default/$NAME ] && . /etc/default/$NAME
case "${1}" in
start)
echo -n "Starting $DESC: "
if [ ! -e /dev/tpm? ]
then
echo "device driver not loaded, skipping."
exit 0
fi
start-stop-daemon --start --quiet --oknodo --background --pidfile /var/run/${NAME}.pid --user ${USER} --chuid ${USER} --exec ${DAEMON} -- ${DAEMON_OPTS}
RETVAL="$?"
echo "$NAME."
[ "$RETVAL" = 0 ] && pidof $DAEMON > /var/run/${NAME}.pid
exit $RETVAL
;;
stop)
echo -n "Stopping $DESC: "
start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/${NAME}.pid --user ${USER} --exec ${DAEMON}
RETVAL="$?"
echo "$NAME."
rm -f /var/run/${NAME}.pid
exit $RETVAL
;;
restart|force-reload)
"${0}" stop
sleep 1
"${0}" start
exit $?
;;
*)
echo "Usage: ${NAME} {start|stop|restart|force-reload|status}" >&2
exit 3
;;
esac
exit 0
meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/files/tpm2-abrmd.default
+1
View File
@@ -0,0 +1 @@
DAEMON_OPTS="--tcti=device --logger=syslog --max-connections=20 --max-transients=20 --flush-all"
meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_3.0.0.bb
+54
View File
@@ -0,0 +1,54 @@
SUMMARY = "TPM2 Access Broker & Resource Manager"
DESCRIPTION = "This is a system daemon implementing the TPM2 access \
broker (TAB) & Resource Manager (RM) spec from the TCG. The daemon (tpm2-abrmd) \
is implemented using Glib and the GObject system. In this documentation and \
in the code we use `tpm2-abrmd` and `tabrmd` interchangeably. \
"
SECTION = "security/tpm"
LICENSE = "BSD-2-Clause"
LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da"
DEPENDS = "autoconf-archive dbus glib-2.0 tpm2-tss glib-2.0-native \
libtss2 libtss2-mu libtss2-tcti-device libtss2-tcti-mssim"
SRC_URI = "\
https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz \
file://tpm2-abrmd-init.sh \
file://tpm2-abrmd.default \
"
SRC_URI[sha256sum] = "d59aff34164aa705b05155b86607f6b66918a433104f754a3fcf76216dd9f465"
UPSTREAM_CHECK_URI = "https://github.com/tpm2-software/${BPN}/releases"
inherit autotools pkgconfig systemd update-rc.d useradd
SYSTEMD_PACKAGES += "${PN}"
SYSTEMD_SERVICE:${PN} = "tpm2-abrmd.service"
SYSTEMD_AUTO_ENABLE:${PN} = "disable"
INITSCRIPT_NAME = "${PN}"
INITSCRIPT_PARAMS = "start 99 2 3 4 5 . stop 19 0 1 6 ."
USERADD_PACKAGES = "${PN}"
GROUPADD_PARAM:${PN} = "tss"
USERADD_PARAM:${PN} = "--system -M -d /var/lib/tpm -s /bin/false -g tss tss"
PACKAGECONFIG ?="${@bb.utils.contains('DISTRO_FEATURES','systemd','systemd', '', d)}"
PACKAGECONFIG[systemd] = "--with-systemdsystemunitdir=${systemd_system_unitdir}, --with-systemdsystemunitdir=no"
do_install:append() {
install -d "${D}${sysconfdir}/init.d"
install -m 0755 "${WORKDIR}/tpm2-abrmd-init.sh" "${D}${sysconfdir}/init.d/tpm2-abrmd"
install -d "${D}${sysconfdir}/default"
install -m 0644 "${WORKDIR}/tpm2-abrmd.default" "${D}${sysconfdir}/default/tpm2-abrmd"
}
FILES:${PN} += "${libdir}/systemd/system-preset \
${datadir}/dbus-1"
RDEPENDS:${PN} += "tpm2-tss"
BBCLASSEXTEND = "native"
meta-security/meta-tpm/recipes-tpm2/tpm2-openssl/tpm2-openssl_1.1.1.bb
+21
View File
@@ -0,0 +1,21 @@
SUMMARY = "Provider for integration of TPM 2.0 to OpenSSL 3.0"
LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=b75785ac083d3c3ca04d99d9e4e1fbab"
DEPENDS = "autoconf-archive-native tpm2-tss openssl"
SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz"
SRC_URI[sha256sum] = "5a9bb0c6c61d026272b8843cbc291b5dfa9a55c1661a513b1c980807ad2dad01"
UPSTREAM_CHECK_URI = "https://github.com/tpm2-software/${BPN}/releases"
inherit autotools pkgconfig
do_configure:prepend() {
# do not extract the version number from git
sed -i -e 's/m4_esyscmd_s(\[git describe --tags --always --dirty\])/${PV}/' ${S}/configure.ac
}
FILES:${PN} = "\
${libdir}/ossl-modules/tpm2.so"
meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.9.0.bb
+47
View File
@@ -0,0 +1,47 @@
SUMMARY = "A PKCS#11 interface for TPM2 hardware"
DESCRIPTION = "PKCS #11 is a Public-Key Cryptography Standard that defines a standard method to access cryptographic services from tokens/ devices such as hardware security modules (HSM), smart cards, etc. In this project we intend to use a TPM2 device as the cryptographic token."
SECTION = "security/tpm"
LICENSE = "BSD-2-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=0fc19f620a102768d6dbd1e7166e78ab"
DEPENDS = "autoconf-archive pkgconfig sqlite3 openssl libtss2-dev tpm2-tools libyaml p11-kit python3-setuptools-native"
SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz"
SRC_URI[sha256sum] = "35bf06c30cfa76fc0eba2c5f503cf7dd0d34a66afb2d292fee896b90362f633b"
UPSTREAM_CHECK_URI = "https://github.com/tpm2-software/${BPN}/releases"
inherit autotools-brokensep pkgconfig python3native
EXTRA_OECONF += "--disable-ptool-checks"
do_compile:append() {
cd ${S}/tools
python3 setup.py build
}
do_install:append() {
cd ${S}/tools
export PYTHONPATH="${D}${PYTHON_SITEPACKAGES_DIR}"
${PYTHON_PN} setup.py install --root="${D}" --prefix="${prefix}" --install-lib="${PYTHON_SITEPACKAGES_DIR}" --optimize=1 --skip-build
sed -i -e "s:${PYTHON}:${USRBINPATH}/env ${PYTHON_PN}:g" "${D}${bindir}"/tpm2_ptool
}
PACKAGES =+ "${PN}-tools"
FILES:${PN}-tools = "\
${bindir}/tpm2_ptool \
${libdir}/${PYTHON_DIR}/* \
"
FILES:${PN} += "\
${libdir}/pkcs11/* \
${datadir}/p11-kit/* \
"
INSANE_SKIP:${PN} += "dev-so"
RDEPENDS:${PN} = "p11-kit tpm2-tools "
RDEPENDS:${PN}-tools = "${PYTHON_PN}-pyyaml ${PYTHON_PN}-cryptography ${PYTHON_PN}-pyasn1-modules"
meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/files/configure_oe_fixup.patch
+27
View File
@@ -0,0 +1,27 @@
Upstream-Status: Inappropriate [OE specific]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Index: git/configure.ac
===================================================================
--- git.orig/configure.ac
+++ git/configure.ac
@@ -84,9 +84,6 @@ AC_ARG_WITH([efi-lds],
AS_HELP_STRING([--with-efi-lds=LDS_PATH],[Path to gnu-efi lds file.]),
[],
[with_efi_lds="/usr/lib/elf_${ARCH}_efi.lds"])
-AC_CHECK_FILE(["${with_efi_lds}"],
- [],
- [AC_MSG_ERROR([Missing file: ${with_efi_lds}.])])
EXTRA_LDFLAGS="-L /usr/lib -L /usr/lib64 -Wl,--script=${with_efi_lds}"
# path to object file from gnu-efi
@@ -94,9 +91,6 @@ AC_ARG_WITH([efi-crt0],
AS_HELP_STRING([--with-efi-crt0=OBJ_PATH],[Path to gnu-efi crt0 object file.]),
[],
[with_efi_crt0="/usr/lib/crt0-efi-${ARCH}.o"])
-AC_CHECK_FILE(["${with_efi_crt0}"],
- [],
- [AC_MSG_ERROR([Missing ${with_efi_crt0} file.])])
EXTRA_LDLIBS="${with_efi_crt0}"
# check for efi and gnuefi libraries
meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/files/fix_header_file.patch
+25
View File
@@ -0,0 +1,25 @@
Error building for i386 target in cross env
#include <efi/x86_64/efibind.h>
ARCH is host arch, not target arch
Upstream-Status: Submitted
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Index: git/src/uefi-types.h
===================================================================
--- git.orig/src/uefi-types.h
+++ git/src/uefi-types.h
@@ -3,9 +3,9 @@
#define UEFI_TYPES_H
#ifndef EDK2_BUILD
-#if ARCH == x86_64
+#if defined(__x86_64__)
#include <efi/x86_64/efibind.h>
-#elif ARCH == ia32
+#elif defined(__i386__)
#include <efi/ia32/efibind.h>
#else
#error "Unsupported ARCH."
meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi/0001-configure.ac-stop-inserting-host-directories-into-co.patch
+38
View File
@@ -0,0 +1,38 @@
From b74837184cfdefb45e48f3fdc974fc67691fc861 Mon Sep 17 00:00:00 2001
From: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
Date: Wed, 3 Jul 2019 19:16:35 +0300
Subject: [PATCH] configure.ac: stop inserting host directories into compile
path
Do not insert /usr/lib and /usr/lib64 into library search path.
Upstream-Status: Inappropriate [OE specific]
Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
---
configure.ac | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: git/configure.ac
===================================================================
--- git.orig/configure.ac
+++ git/configure.ac
@@ -70,10 +70,6 @@ EXTRA_CFLAGS+="-I${with_efi_includedir}
# compiler flags / search path
CFLAGS_TMP="$CFLAGS"
CFLAGS="$CFLAGS $EXTRA_CFLAGS"
-AC_CHECK_HEADERS([efi.h efilib.h],
- [],
- [AC_MSG_ERROR([Missing gnu-efi headers.])],
- [#include <efi.h>])
CFLAGS="$CFLAGS_TMP"
# path to linker script from gnu-efi
@@ -81,7 +77,7 @@ AC_ARG_WITH([efi-lds],
AS_HELP_STRING([--with-efi-lds=LDS_PATH],[Path to gnu-efi lds file.]),
[],
[with_efi_lds="/usr/lib/elf_${ARCH}_efi.lds"])
-EXTRA_LDFLAGS="-L /usr/lib -L /usr/lib64 -Wl,--script=${with_efi_lds}"
+EXTRA_LDFLAGS="-Wl,--script=${with_efi_lds}"
# path to object file from gnu-efi
AC_ARG_WITH([efi-crt0],
meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb
+47
View File
@@ -0,0 +1,47 @@
SUMMARY = "TCTI module for use with TSS2 libraries in UEFI environment"
SECTION = "security/tpm"
LICENSE = "BSD-2-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da"
DEPENDS = "libtss2-dev libtss2-mu-dev gnu-efi-native gnu-efi pkgconfig autoconf-archive-native"
SRC_URI = "git://github.com/tpm2-software/tpm2-tcti-uefi.git;branch=master;protocol=https \
file://configure_oe_fixup.patch \
file://0001-configure.ac-stop-inserting-host-directories-into-co.patch \
file://fix_header_file.patch \
"
SRCREV = "0241b08f069f0fdb3612f5c1b938144dbe9be811"
UPSTREAM_CHECK_URI = "https://github.com/tpm2-software/${BPN}/releases"
S = "${WORKDIR}/git"
inherit autotools pkgconfig
EFIDIR ?= "/EFI/BOOT"
EFI_ARCH:x86 = "ia32"
EFI_ARCH:x86-64 = "x86_64"
CFLAGS:append = " -I${STAGING_INCDIR}/efi -I${STAGING_INCDIR}/efi/${EFI_ARCH}"
EXTRA_OECONF:append = " \
--with-efi-includedir=${STAGING_INCDIR} \
--with-efi-crt0=${STAGING_LIBDIR}/crt0-efi-${EFI_ARCH}.o \
--with-efi-lds=${STAGING_LIBDIR}/elf_${EFI_ARCH}_efi.lds \
"
do_compile:append() {
oe_runmake example
}
do_install:append() {
install -d "${D}${EFIDIR}"
install -m 0755 "${B}"/example/*.efi "${D}${EFIDIR}"
}
COMPATIBLE_HOST = "(i.86|x86_64).*-linux"
FILES:${PN} += "${EFIDIR}"
RDEPENDS:${PN} = "gnu-efi libtss2-mu"
meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.5.bb
+15
View File
@@ -0,0 +1,15 @@
SUMMARY = "Tools for TPM2."
DESCRIPTION = "tpm2-tools"
LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://docs/LICENSE;md5=a846608d090aa64494c45fc147cc12e3"
SECTION = "tpm"
DEPENDS = "tpm2-tss openssl curl"
SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz"
SRC_URI[sha256sum] = "1fdb49c730537bfdaed088884881a61e3bfd121e957ec0bdceeec0261236c123"
UPSTREAM_CHECK_URI = "https://github.com/tpm2-software/${BPN}/releases"
inherit autotools pkgconfig bash-completion
meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.3.0.bb
+17
View File
@@ -0,0 +1,17 @@
SUMMARY = "Attest the trustworthiness of a device against a human using time-based one-time passwords"
LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=ed23833e93c95173c8d8913745e4b4e1"
SECTION = "security/tpm"
DEPENDS = "autoconf-archive libtss2-dev qrencode"
PE = "1"
SRCREV = "96a1448753a48974149003bc90ea3990ae8e8d0b"
SRC_URI = "git://github.com/tpm2-software/tpm2-totp.git;branch=master;protocol=https"
inherit autotools-brokensep pkgconfig
S = "${WORKDIR}/git"
meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.1.0.bb
+32
View File
@@ -0,0 +1,32 @@
SUMMARY = "The tpm2-tss-engine project implements a cryptographic engine for OpenSSL."
DESCRIPTION = "The tpm2-tss-engine project implements a cryptographic engine for OpenSSL for Trusted Platform Module (TPM 2.0) using the tpm2-tss software stack that follows the Trusted Computing Groups (TCG) TPM Software Stack (TSS 2.0). It uses the Enhanced System API (ESAPI) interface of the TSS 2.0 for downwards communication. It supports RSA decryption and signatures as well as ECDSA signatures."
LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=7b3ab643b9ce041de515d1ed092a36d4"
SECTION = "security/tpm"
DEPENDS = "autoconf-archive-native bash-completion libtss2 libgcrypt openssl"
SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/v${PV}/${BPN}-${PV}.tar.gz"
SRC_URI[sha256sum] = "ea2941695ac221d23a7f3e1321140e75b1495ae6ade876f2f4c2ed807c65e2a5"
UPSTREAM_CHECK_URI = "https://github.com/tpm2-software/${BPN}/releases"
inherit autotools-brokensep pkgconfig systemd
# It uses the API deprecated since the OpenSSL 3.0
CFLAGS:append = ' -Wno-deprecated-declarations -Wno-unused-parameter'
do_configure:prepend() {
# do not extract the version number from git
sed -i -e 's/m4_esyscmd_s(\[git describe --tags --always --dirty\])/${PV}/' ${S}/configure.ac
}
PACKAGES += "${PN}-engines ${PN}-engines-staticdev ${PN}-bash-completion"
FILES:${PN}-dev = "${libdir}/engines-3/tpm2tss.so ${includedir}/*"
FILES:${PN}-engines = "${libdir}/engines-3/lib*.so*"
FILES:${PN}-engines-staticdev = "${libdir}/engines-3/libtpm2tss.a"
FILES:${PN}-bash-completion += "${datadir}/bash-completion/completions"
meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/fixup_hosttools.patch
+29
View File
@@ -0,0 +1,29 @@
revert configure: add checks for all tools used by make install
Not appropriate for cross build env.
Upstream-Status: Inappropriate [OE specific]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Index: tpm2-tss-4.0.1/configure.ac
===================================================================
--- tpm2-tss-4.0.1.orig/configure.ac
+++ tpm2-tss-4.0.1/configure.ac
@@ -554,17 +554,6 @@ AM_CONDITIONAL(SYSD_SYSUSERS, test "x$systemd_sysusers" = "xyes")
AC_CHECK_PROG(systemd_tmpfiles, systemd-tmpfiles, yes)
AM_CONDITIONAL(SYSD_TMPFILES, test "x$systemd_tmpfiles" = "xyes")
-# Check all tools used by make install
-AS_IF([test "$HOSTOS" = "Linux" && test "x$systemd_sysusers" != "xyes"],
- [ AC_CHECK_PROG(useradd, useradd, yes)
- AC_CHECK_PROG(groupadd, groupadd, yes)
- AC_CHECK_PROG(adduser, adduser, yes)
- AC_CHECK_PROG(addgroup, addgroup, yes)
- AS_IF([test "x$addgroup" != "xyes" && test "x$groupadd" != "xyes" ],
- [AC_MSG_ERROR([addgroup or groupadd are needed.])])
- AS_IF([test "x$adduser" != "xyes" && test "x$useradd" != "xyes" ],
- [AC_MSG_ERROR([adduser or useradd are needed.])])])
-
AC_SUBST([PATH])
dnl --------- Doxy Gen -----------------------
meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_4.0.1.bb
+95
View File
@@ -0,0 +1,95 @@
SUMMARY = "Software stack for TPM2."
DESCRIPTION = "OSS implementation of the TCG TPM2 Software Stack (TSS2) "
LICENSE = "BSD-2-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da"
SECTION = "tpm"
DEPENDS = "autoconf-archive-native libgcrypt openssl"
SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz \
file://fixup_hosttools.patch \
"
SRC_URI[sha256sum] = "532a70133910b6bd842289915b3f9423c0205c0ea009d65294ca18a74087c950"
UPSTREAM_CHECK_URI = "https://github.com/tpm2-software/${BPN}/releases"
CVE_PRODUCT = "tpm2_software_stack"
inherit autotools pkgconfig systemd useradd
PACKAGECONFIG ??= ""
PACKAGECONFIG[oxygen] = ",--disable-doxygen-doc, "
PACKAGECONFIG[fapi] = "--enable-fapi,--disable-fapi,curl json-c util-linux-libuuid "
PACKAGECONFIG[policy] = "--enable-policy,--disable-policy,json-c util-linux-libuuid "
EXTRA_OECONF += "--enable-static --with-udevrulesdir=${nonarch_base_libdir}/udev/rules.d/"
EXTRA_OECONF += "--runstatedir=/run"
EXTRA_OECONF:remove = " --disable-static"
USERADD_PACKAGES = "${PN}"
GROUPADD_PARAM:${PN} = "--system tss"
USERADD_PARAM:${PN} = "--system -M -d /var/lib/tpm -s /bin/false -g tss tss"
do_install:append() {
# Remove /run as it is created on startup
rm -rf ${D}/run
}
PROVIDES = "${PACKAGES}"
PACKAGES = " \
${PN} \
${PN}-dbg \
${PN}-doc \
libtss2-mu \
libtss2-mu-dev \
libtss2-mu-staticdev \
libtss2-tcti-device \
libtss2-tcti-device-dev \
libtss2-tcti-device-staticdev \
libtss2-tcti-mssim \
libtss2-tcti-mssim-dev \
libtss2-tcti-mssim-staticdev \
libtss2 \
libtss2-dev \
libtss2-staticdev \
"
FILES:libtss2-tcti-device = "${libdir}/libtss2-tcti-device.so.*"
FILES:libtss2-tcti-device-dev = " \
${includedir}/tss2/tss2_tcti_device.h \
${libdir}/pkgconfig/tss2-tcti-device.pc \
${libdir}/libtss2-tcti-device.so"
FILES:libtss2-tcti-device-staticdev = "${libdir}/libtss2-tcti-device.*a"
FILES:libtss2-tcti-mssim = "${libdir}/libtss2-tcti-mssim.so.*"
FILES:libtss2-tcti-mssim-dev = " \
${includedir}/tss2/tss2_tcti_mssim.h \
${libdir}/pkgconfig/tss2-tcti-mssim.pc \
${libdir}/libtss2-tcti-mssim.so"
FILES:libtss2-tcti-mssim-staticdev = "${libdir}/libtss2-tcti-mssim.*a"
FILES:libtss2-mu = "${libdir}/libtss2-mu.so.*"
FILES:libtss2-mu-dev = " \
${includedir}/tss2/tss2_mu.h \
${libdir}/pkgconfig/tss2-mu.pc \
${libdir}/libtss2-mu.so"
FILES:libtss2-mu-staticdev = "${libdir}/libtss2-mu.*a"
FILES:libtss2 = "${libdir}/libtss2*so.*"
FILES:libtss2-dev = " \
${includedir} \
${libdir}/pkgconfig \
${libdir}/libtss2*so"
FILES:libtss2-staticdev = "${libdir}/libtss*a"
FILES:${PN} = "\
${libdir}/udev \
/var/lib/tpm2-tss \
/var/run \
${nonarch_base_libdir}/udev \
${sysconfdir}/tmpfiles.d \
${sysconfdir}/tpm2-tss \
${sysconfdir}/sysusers.d"
RDEPENDS:libtss2 = "libgcrypt"