diff options
Diffstat (limited to 'meta-security/meta-tpm/recipes-tpm/swtpm')
5 files changed, 233 insertions, 0 deletions
diff --git a/meta-security/meta-tpm/recipes-tpm/swtpm/files/fix_fcntl_h.patch b/meta-security/meta-tpm/recipes-tpm/swtpm/files/fix_fcntl_h.patch new file mode 100644 index 000000000..3d1643120 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/swtpm/files/fix_fcntl_h.patch @@ -0,0 +1,31 @@ +From 8750a6c3f0b4d9e7e45b4079150d29eb44774e9c Mon Sep 17 00:00:00 2001 +From: Armin Kuster <akuster@mvista.com> +Date: Tue, 14 Mar 2017 22:59:36 -0700 +Subject: [PATCH 2/4] logging: Fix musl build issue with fcntl + + error: #warning redirecting incorrect #include <sys/fcntl.h> to <fcntl.h> [-Werror=cpp] + #warning redirecting incorrect #include <sys/fcntl.h> to <fcntl. + +Upstream-Status: Pending +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + src/swtpm/logging.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/swtpm/logging.c b/src/swtpm/logging.c +index f16cab6..7da8606 100644 +--- a/src/swtpm/logging.c ++++ b/src/swtpm/logging.c +@@ -45,7 +45,7 @@ + #include <errno.h> + #include <string.h> + #include <sys/types.h> +-#include <sys/fcntl.h> ++#include <fcntl.h> + #include <sys/stat.h> + #include <stdio.h> + #include <stdlib.h> +-- +2.11.0 + diff --git a/meta-security/meta-tpm/recipes-tpm/swtpm/files/fix_lib_search_path.patch b/meta-security/meta-tpm/recipes-tpm/swtpm/files/fix_lib_search_path.patch new file mode 100644 index 000000000..60958f763 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/swtpm/files/fix_lib_search_path.patch @@ -0,0 +1,66 @@ +From 672bb4ee625da3141ba6cecb0601c7563de4c483 Mon Sep 17 00:00:00 2001 +From: Armin Kuster <akuster808@gmail.com> +Date: Thu, 13 Oct 2016 02:03:56 -0700 +Subject: [PATCH 1/4] swtpm: add new package + +Upstream-Status: Inappropriate [OE config] + +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +Rebased to current tip. + +Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> + +--- + configure.ac | 34 ++++++++++------------------------ + 1 file changed, 10 insertions(+), 24 deletions(-) + +diff --git a/configure.ac b/configure.ac +index abf5be1..85ed6ac 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -395,31 +395,17 @@ CFLAGS="$CFLAGS -Wformat -Wformat-security" + dnl We have to make sure libtpms is using the same crypto library + dnl to avoid problems + AC_MSG_CHECKING([the crypto library libtpms is using]) +-dirs=$($CC $CFLAGS -Xlinker --verbose 2>/dev/null | \ +- sed -n '/SEARCH_DIR/p' | \ +- sed 's/SEARCH_DIR("\(@<:@^"@:>@*\)"); */\1 /g' | \ +- sed 's|=/|/|g') +-for dir in $dirs $LIBRARY_PATH; do +- if test -r $dir/libtpms.so; then +- if test -n "`ldd $dir/libtpms.so | grep libcrypto.so`"; then +- libtpms_cryptolib="openssl" +- break +- fi +- if test -n "`ldd $dir/libtpms.so | grep libnss3.so`"; then +- libtpms_cryptolib="freebl" +- break +- fi ++dir="$SEARCH_DIR" ++if test -r $dir/libtpms.so; then ++ if test -n "`ldd $dir/libtpms.so | grep libcrypto.so`"; then ++ libtpms_cryptolib="openssl" ++ break + fi +- case $host_os in +- cygwin|openbsd*) +- if test -r $dir/libtpms.a; then +- if test -n "$(nm $dir/libtpms.a | grep "U AES_encrypt")"; then +- libtpms_cryptolib="openssl" +- fi +- fi +- ;; +- esac +-done ++ if test -n "`ldd $dir/libtpms.so | grep libnss3.so`"; then ++ libtpms_cryptolib="freebl" ++ break ++ fi ++fi + + if test -z "$libtpms_cryptolib"; then + AC_MSG_ERROR([Could not determine libtpms crypto library.]) +-- +2.11.0 + diff --git a/meta-security/meta-tpm/recipes-tpm/swtpm/files/ioctl_h.patch b/meta-security/meta-tpm/recipes-tpm/swtpm/files/ioctl_h.patch new file mode 100644 index 000000000..d736bc66f --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/swtpm/files/ioctl_h.patch @@ -0,0 +1,22 @@ +tpm_ioctl: fix musl for missing ioctl + +tpm_ioctl.c: In function 'ioctl_to_cmd': +tpm_ioctl.c:86:26: error: '_IOC_NRSHIFT' undeclared (first use in this function) + return ((ioctlnum >> _IOC_NRSHIFT) & _IOC_NRMASK) + 1; + + +Upstream-status: +Signed-off-by: Armin Kuster <akuster@mvista.com> + +Index: git/src/swtpm_ioctl/tpm_ioctl.c +=================================================================== +--- git.orig/src/swtpm_ioctl/tpm_ioctl.c ++++ git/src/swtpm_ioctl/tpm_ioctl.c +@@ -58,6 +58,7 @@ + #include <fcntl.h> + #include <unistd.h> + #include <sys/ioctl.h> ++#include <asm/ioctl.h> + #include <getopt.h> + #include <sys/un.h> + #include <sys/types.h> diff --git a/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm-wrappers-native.bb b/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm-wrappers-native.bb new file mode 100644 index 000000000..644f3ac13 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm-wrappers-native.bb @@ -0,0 +1,53 @@ +SUMMARY = "SWTPM - OpenEmbedded wrapper scripts for native swtpm tools" +LICENSE = "MIT" +DEPENDS = "swtpm-native tpm-tools-native net-tools-native" + +inherit native + +# The whole point of the recipe is to make files available +# for use after the build is done, so don't clean up... +RM_WORK_EXCLUDE += "${PN}" + +do_create_wrapper () { + # Wrap (almost) all swtpm binaries. Some get special wrappers and some + # are not needed. + for i in `find ${bindir} ${base_bindir} ${sbindir} ${base_sbindir} -name 'swtpm*' -perm /+x -type f`; do + exe=`basename $i` + case $exe in + swtpm_setup.sh) + cat >${WORKDIR}/swtpm_setup_oe.sh <<EOF +#! /bin/sh +# +# Wrapper around swtpm_setup.sh which adds parameters required to +# run the setup as non-root directly from the native sysroot. + +PATH="${bindir}:${base_bindir}:${sbindir}:${base_sbindir}:\$PATH" +export PATH + +# tcsd only allows to be run as root or tss. Pretend to be root... +exec env ${FAKEROOTENV} ${FAKEROOTCMD} swtpm_setup.sh --config ${STAGING_DIR_NATIVE}/etc/swtpm_setup.conf "\$@" +EOF + ;; + swtpm_setup) + true + ;; + *) + cat >${WORKDIR}/${exe}_oe.sh <<EOF +#! /bin/sh +# +# Wrapper around $exe which makes it easier to invoke +# the right binary. + +PATH="${bindir}:${base_bindir}:${sbindir}:${base_sbindir}:\$PATH" +export PATH + +exec ${exe} "\$@" +EOF + ;; + esac + done + + chmod a+rx ${WORKDIR}/*.sh +} + +addtask do_create_wrapper before do_build after do_prepare_recipe_sysroot diff --git a/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_1.0.bb b/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_1.0.bb new file mode 100644 index 000000000..747602000 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_1.0.bb @@ -0,0 +1,61 @@ +SUMMARY = "SWTPM - Software TPM Emulator" +LICENSE = "BSD-3-Clause" +LIC_FILES_CHKSUM = "file://LICENSE;md5=fe8092c832b71ef20dfe4c6d3decb3a8" +SECTION = "apps" + +DEPENDS = "libtasn1 expect socat glib-2.0 libtpm libtpm-native" + +# configure checks for the tools already during compilation and +# then swtpm_setup needs them at runtime +DEPENDS += "tpm-tools-native expect-native socat-native" +RDEPENDS_${PN} += "tpm-tools" + +SRCREV = "4f4f2f0a7e3195f6df8d235d58630a08e69403d8" +SRC_URI = "git://github.com/stefanberger/swtpm.git \ + file://fix_lib_search_path.patch \ + file://fix_fcntl_h.patch \ + file://ioctl_h.patch \ + " + +S = "${WORKDIR}/git" + +inherit autotools-brokensep pkgconfig +PARALLEL_MAKE = "" + +TSS_USER="tss" +TSS_GROUP="tss" + +PACKAGECONFIG ?= "openssl cuse" +PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}" +PACKAGECONFIG[openssl] = "--with-openssl, --without-openssl, openssl" +PACKAGECONFIG[gnutls] = "--with-gnutls, --without-gnutls, gnutls" +PACKAGECONFIG[selinux] = "--with-selinux, --without-selinux, libselinux" +PACKAGECONFIG[cuse] = "--with-cuse, --without-cuse, fuse" + +EXTRA_OECONF += "--with-tss-user=${TSS_USER} --with-tss-group=${TSS_GROUP}" + +export SEARCH_DIR = "${STAGING_LIBDIR_NATIVE}" + +# dup bootstrap +do_configure_prepend () { + libtoolize --force --copy + autoheader + aclocal + automake --add-missing -c + autoconf +} + +USERADD_PACKAGES = "${PN}" +GROUPADD_PARAM_${PN} = "--system ${TSS_USER}" +USERADD_PARAM_${PN} = "--system -g ${TSS_GROUP} --home-dir \ + --no-create-home --shell /bin/false ${BPN}" + +RDEPENDS_${PN} = "libtpm expect socat bash" + +BBCLASSEXTEND = "native nativesdk" + +python() { + if 'cuse' in d.getVar('PACKAGECONFIG') and \ + 'filesystems-layer' not in d.getVar('BBFILE_COLLECTIONS').split(): + raise bb.parse.SkipRecipe('Cuse enabled which requires meta-filesystems to be present.') +} |