diff options
Diffstat (limited to 'meta-security/meta-tpm')
-rw-r--r-- | meta-security/meta-tpm/README | 19 | ||||
-rw-r--r-- | meta-security/meta-tpm/classes/sanity-meta-tpm.bbclass | 10 | ||||
-rw-r--r-- | meta-security/meta-tpm/conf/layer.conf | 4 | ||||
-rw-r--r-- | meta-security/meta-tpm/recipes-kernel/linux/linux-yocto_5.%.bbappend | 18 | ||||
-rw-r--r-- | meta-security/meta-tpm/recipes-kernel/linux/linux-yocto_tpm.inc | 17 | ||||
-rw-r--r-- | meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/fix-wrong-cast.patch | 27 | ||||
-rw-r--r-- | meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1661.bb (renamed from meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1637.bb) | 10 | ||||
-rw-r--r-- | meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1.6.0.bb | 4 | ||||
-rw-r--r-- | meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/677.patch | 295 | ||||
-rw-r--r-- | meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.6.0.bb (renamed from meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.5.0.bb) | 27 | ||||
-rw-r--r-- | meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.0.3.bb | 4 |
11 files changed, 374 insertions, 61 deletions
diff --git a/meta-security/meta-tpm/README b/meta-security/meta-tpm/README index dd662b3d4..59d2ee3ad 100644 --- a/meta-security/meta-tpm/README +++ b/meta-security/meta-tpm/README @@ -1,6 +1,25 @@ meta-tpm layer ============== +The bbappend files for some recipes (e.g. linux-yocto) in this layer need +to have 'tpm' in DISTRO_FEATURES to have effect. +To enable them, add in configuration file the following line. + + DISTRO_FEATURES_append = " tmp" + +If meta-tpm is included, but tpm is not enabled as a +distro feature a warning is printed at parse time: + + You have included the meta-tpm layer, but + 'tpm' has not been enabled in your DISTRO_FEATURES. Some bbappend files + and preferred version setting may not take effect. + +If you know what you are doing, this warning can be disabled by setting the following +variable in your configuration: + + SKIP_META_TPM_SANITY_CHECK = 1 + + This layer contains base TPM recipes. Dependencies diff --git a/meta-security/meta-tpm/classes/sanity-meta-tpm.bbclass b/meta-security/meta-tpm/classes/sanity-meta-tpm.bbclass new file mode 100644 index 000000000..2f8b52d1b --- /dev/null +++ b/meta-security/meta-tpm/classes/sanity-meta-tpm.bbclass @@ -0,0 +1,10 @@ +addhandler tpm_machinecheck +tpm_machinecheck[eventmask] = "bb.event.SanityCheck" +python tpm_machinecheck() { + skip_check = e.data.getVar('SKIP_META_TPM_SANITY_CHECK') == "1" + if 'tpm' not in e.data.getVar('DISTRO_FEATURES').split() and not skip_check: + bb.warn("You have included the meta-tpm layer, but \ +'tpm or tpm2' has not been enabled in your DISTRO_FEATURES. Some bbappend files \ +and preferred version setting may not take effect. See the meta-tpm README \ +for details on enabling tpm support.") +} diff --git a/meta-security/meta-tpm/conf/layer.conf b/meta-security/meta-tpm/conf/layer.conf index 1b766cba2..0b102c533 100644 --- a/meta-security/meta-tpm/conf/layer.conf +++ b/meta-security/meta-tpm/conf/layer.conf @@ -17,6 +17,10 @@ LAYERDEPENDS_tpm-layer = " \ " BBLAYERS_LAYERINDEX_NAME_tpm-layer = "meta-tpm" +# Sanity check for meta-integrity layer. +# Setting SKIP_META_TPM_SANITY_CHECK to "1" would skip the bbappend files check. +INHERIT += "sanity-meta-tpm" + BBFILES_DYNAMIC += " \ networking-layer:${LAYERDIR}/dynamic-layers/meta-networking/recipes-*/*/*.bbappend \ " diff --git a/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto_5.%.bbappend b/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto_5.%.bbappend index cea8b1b2a..2cf1453a8 100644 --- a/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto_5.%.bbappend +++ b/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto_5.%.bbappend @@ -1,17 +1 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/linux-yocto:" - -# Enable tpm in kernel -SRC_URI_append_x86 = " \ - ${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'file://tpm.scc', '', d)} \ - ${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'file://tpm2.scc', '', d)} \ - " - -SRC_URI_append_x86-64 = " \ - ${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'file://tpm.scc', '', d)} \ - ${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'file://tpm2.scc', '', d)} \ - " - -SRC_URI += " \ - ${@bb.utils.contains('MACHINE_FEATURES', 'tpm_i2c', 'file://tpm_i2c.scc', '', d)} \ - ${@bb.utils.contains('MACHINE_FEATURES', 'vtpm', 'file://vtpm.scc', '', d)} \ - " +require ${@bb.utils.contains_any('DISTRO_FEATURES', 'tpm', 'linux-yocto_tpm.inc', '', d)} diff --git a/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto_tpm.inc b/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto_tpm.inc new file mode 100644 index 000000000..cea8b1b2a --- /dev/null +++ b/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto_tpm.inc @@ -0,0 +1,17 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/linux-yocto:" + +# Enable tpm in kernel +SRC_URI_append_x86 = " \ + ${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'file://tpm.scc', '', d)} \ + ${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'file://tpm2.scc', '', d)} \ + " + +SRC_URI_append_x86-64 = " \ + ${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'file://tpm.scc', '', d)} \ + ${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'file://tpm2.scc', '', d)} \ + " + +SRC_URI += " \ + ${@bb.utils.contains('MACHINE_FEATURES', 'tpm_i2c', 'file://tpm_i2c.scc', '', d)} \ + ${@bb.utils.contains('MACHINE_FEATURES', 'vtpm', 'file://vtpm.scc', '', d)} \ + " diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/fix-wrong-cast.patch b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/fix-wrong-cast.patch deleted file mode 100644 index f2938e0e0..000000000 --- a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/fix-wrong-cast.patch +++ /dev/null @@ -1,27 +0,0 @@ -Fix strict aliasing issue of gcc10 - -fixes: - -TpmFail.c: In function 'TpmLogFailure': -TpmFail.c:217:23: error: dereferencing type-punned pointer will break strict-aliasing rules [-Werror=strict-aliasing] - 217 | s_failFunction = *(UINT32 *)&function; /* kgold */ - | ^~~~~~~~~~~~~~~~~~~ -cc1: all warnings being treated as errors - -Upstream-Status: Submitted - -Signed-off-by: Jens Rehsack <sno@NetBSD.org> - -Index: src/TpmFail.c -=================================================================== ---- src.orig/TpmFail.c 2020-09-10 15:43:57.085063875 +0200 -+++ src/TpmFail.c 2020-09-10 15:48:35.563302634 +0200 -@@ -214,7 +214,7 @@ - // On a 64-bit machine, this may truncate the address of the string - // of the function name where the error occurred. - #if FAIL_TRACE -- s_failFunction = *(UINT32 *)&function; /* kgold */ -+ memcpy(&s_failFunction, function, sizeof(uint32_t)); /* kgold */ - s_failLine = line; - #else - s_failFunction = 0; diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1637.bb b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1661.bb index 301980dbe..7ea40a8c0 100644 --- a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1637.bb +++ b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1661.bb @@ -17,13 +17,11 @@ DEPENDS = "openssl" SRC_URI = "https://sourceforge.net/projects/ibmswtpm2/files/ibmtpm${PV}.tar.gz \ file://tune-makefile.patch \ - file://fix-wrong-cast.patch \ " -SRC_URI[md5sum] = "43b217d87056e9155633925eb6ef749c" -SRC_URI[sha256sum] = "dd3a4c3f7724243bc9ebcd5c39bbf87b82c696d1c1241cb8e5883534f6e2e327" -SRC_URI[sha1sum] = "ab4b94079e57a86996991e8a2b749ce063e4ad3e" -SRC_URI[sha384sum] = "bbef16a934853ce78cba7ddc766aa9d7ef3cde3430a322b1be772bf3ad4bd6d413ae9c4de21bc1a4879d17dfe2aadc1d" -SRC_URI[sha512sum] = "007aa415cccf19a2bcf789c426727dc4032dcb04cc9d11eedc231d2add708c1134d3d5ee5cfbe7de68307c95fff7a30bd306fbd8d53c198a5ef348440440a6ed" + +SRC_URI[sha256sum] = "55145928ad2b24f34be6a0eacf9fb492e10e0ea919b8428c721fa970e85d6147" + +UPSTREAM_CHECK_REGEX = "libtpm(?P<pver>).tar.gz" S = "${WORKDIR}/src" diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1.6.0.bb b/meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1.6.0.bb index 4d9b5540a..ae8974b6c 100644 --- a/meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1.6.0.bb +++ b/meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1.6.0.bb @@ -17,11 +17,13 @@ DEPENDS = "openssl ibmswtpm2" inherit autotools pkgconfig -SRCREV = "3e736f712ba53c8f06e66751f60fae428fd2e20f" +SRCREV = "c4e131e34ec0ed09411aa3bc76f76129ef881573" SRC_URI = " git://git.code.sf.net/p/ibmtpm20tss/tss;nobranch=1 \ file://0001-utils-12-Makefile.am-expand-wildcards-in-prereqs.patch \ " +UPSTREAM_CHECK_COMMITS = "1" + EXTRA_OECONF = "--disable-tpm-1.2" S = "${WORKDIR}/git" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/677.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/677.patch new file mode 100644 index 000000000..5c91a5ec5 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/677.patch @@ -0,0 +1,295 @@ +From 2b74d3df9b3b6932052ace627b21ff1352aa2932 Mon Sep 17 00:00:00 2001 +From: William Roberts <william.c.roberts@intel.com> +Date: Wed, 5 May 2021 13:32:05 -0500 +Subject: [PATCH 1/4] test: fix build for gcc11 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes 0 size regions by ignoring them. The test code intentionally does +bad things. + +test/unit/test_twist.c: In function ‘test_twistbin_aappend_twist_null’: +test/unit/test_twist.c:327:18: error: ‘twistbin_aappend’ accessing 16 bytes in a region of size 0 [-Werror=stringop-overflow=] + 327 | actual = twistbin_aappend(expected, (binarybuffer *) 0xDEADBEEF, 0); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Signed-off-by: William Roberts <william.c.roberts@intel.com> + +Upstream-Status: Pending +Fix out for merge to offical repo + +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +--- + test/unit/test_twist.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/test/unit/test_twist.c b/test/unit/test_twist.c +index ec66f69f..58d4530a 100644 +--- a/test/unit/test_twist.c ++++ b/test/unit/test_twist.c +@@ -244,15 +244,23 @@ void test_twistbin_create(void **state) { + void test_twistbin_new_overflow_1(void **state) { + (void) state; + ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Wpragmas" ++#pragma GCC diagnostic ignored "-Wstringop-overflow" + twist actual = twistbin_new((void *) 0xDEADBEEF, ~0); + assert_null(actual); ++#pragma GCC diagnostic pop + } + + void test_twistbin_new_overflow_2(void **state) { + (void) state; + ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Wpragmas" ++#pragma GCC diagnostic ignored "-Wstringop-overflow" + twist actual = twistbin_new((void *) 0xDEADBEEF, ~0 - sizeof(void *)); + assert_null(actual); ++#pragma GCC diagnostic pop + } + + void test_twistbin_new_overflow_3(void **state) { +@@ -318,8 +326,12 @@ void test_twistbin_aappend_twist_null(void **state) { + twist actual = twistbin_aappend(expected, NULL, 42); + assert_ptr_equal((void * )actual, (void * )expected); + ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Wpragmas" ++#pragma GCC diagnostic ignored "-Wstringop-overflow" + actual = twistbin_aappend(expected, (binarybuffer *) 0xDEADBEEF, 0); + assert_ptr_equal((void * )actual, (void * )expected); ++#pragma GCC diagnostic pop + + twist_free(actual); + } + +From 5bea05613e638375b73e29e5d56a9dabcfd2269d Mon Sep 17 00:00:00 2001 +From: William Roberts <william.c.roberts@intel.com> +Date: Wed, 5 May 2021 11:52:23 -0500 +Subject: [PATCH 2/4] utils: fix stringop-overread in str_padded_copy + +cc1: all warnings being treated as errors +| make: *** [Makefile:1953: src/lib/slot.lo] Error 1 +| make: *** Waiting for unfinished jobs.... +| In file included from src/lib/mutex.h:10, +| from src/lib/session_ctx.h:6, +| from src/lib/digest.h:13, +| from src/lib/tpm.c:28: +| In function 'str_padded_copy', +| inlined from 'tpm_get_token_info' at src/lib/tpm.c:742:5: +| src/lib/utils.h:42:5: error: 'strnlen' specified bound 32 exceeds source size 5 [-Werror=stringop-overread] +| 42 | memcpy(dst, src, strnlen((char *)(src), dst_len)); +| | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +| src/lib/utils.h: In function 'tpm_get_token_info': +| src/lib/tpm.c:739:19: note: source object declared here +| 739 | unsigned char manufacturerID[sizeof(UINT32)+1] = {0}; // 4 bytes + '\0' as temp storage +| | ^~~~~~~~~~~~~~ +| cc1: all warnings being treated as errors +| make: *** [Makefile:1953: src/lib/tpm.lo] Error 1 +| WARNING: exit code 1 from a shell command. + +Fixes #676 + +Signed-off-by: William Roberts <william.c.roberts@intel.com> +--- + src/lib/general.c | 8 ++++---- + src/lib/general.h | 2 +- + src/lib/slot.c | 4 ++-- + src/lib/token.c | 4 ++-- + src/lib/tpm.c | 7 +++---- + src/lib/utils.h | 6 ++++-- + 6 files changed, 16 insertions(+), 15 deletions(-) + +diff --git a/src/lib/general.c b/src/lib/general.c +index 9b7327c1..eaddaf82 100644 +--- a/src/lib/general.c ++++ b/src/lib/general.c +@@ -19,8 +19,8 @@ + #define VERSION "UNKNOWN" + #endif + +-#define LIBRARY_DESCRIPTION (CK_UTF8CHAR_PTR)"TPM2.0 Cryptoki" +-#define LIBRARY_MANUFACTURER (CK_UTF8CHAR_PTR)"tpm2-software.github.io" ++static const CK_UTF8CHAR LIBRARY_DESCRIPTION[] = "TPM2.0 Cryptoki"; ++static const CK_UTF8CHAR LIBRARY_MANUFACTURER[] = "tpm2-software.github.io"; + + #define CRYPTOKI_VERSION { \ + .major = CRYPTOKI_VERSION_MAJOR, \ +@@ -78,8 +78,8 @@ CK_RV general_get_info(CK_INFO *info) { + + static CK_INFO *_info = NULL; + if (!_info) { +- str_padded_copy(_info_.manufacturerID, LIBRARY_MANUFACTURER, sizeof(_info_.manufacturerID)); +- str_padded_copy(_info_.libraryDescription, LIBRARY_DESCRIPTION, sizeof(_info_.libraryDescription)); ++ str_padded_copy(_info_.manufacturerID, LIBRARY_MANUFACTURER); ++ str_padded_copy(_info_.libraryDescription, LIBRARY_DESCRIPTION); + + parse_lib_version(&_info_.libraryVersion.major, + &_info_.libraryVersion.minor); +diff --git a/src/lib/general.h b/src/lib/general.h +index 14a18e46..356c142d 100644 +--- a/src/lib/general.h ++++ b/src/lib/general.h +@@ -10,7 +10,7 @@ + #define TPM2_TOKEN_LABEL "TPM2 PKCS#11 Token" + #define TPM2_TOKEN_MANUFACTURER "Intel" + #define TPM2_TOKEN_MODEL "TPM2 PKCS#11" +-#define TPM2_TOKEN_SERIAL_NUMBER "0000000000000000" ++static const CK_UTF8CHAR TPM2_TOKEN_SERIAL_NUMBER[] = "0000000000000000"; + #define TPM2_TOKEN_HW_VERSION { 0, 0 } + #define TPM2_TOKEN_FW_VERSION { 0, 0 } + +diff --git a/src/lib/slot.c b/src/lib/slot.c +index 548d22b5..6db5bb93 100644 +--- a/src/lib/slot.c ++++ b/src/lib/slot.c +@@ -119,8 +119,8 @@ CK_RV slot_get_info (CK_SLOT_ID slot_id, CK_SLOT_INFO *info) { + return CKR_GENERAL_ERROR; + } + +- str_padded_copy(info->manufacturerID, token_info.manufacturerID, sizeof(info->manufacturerID)); +- str_padded_copy(info->slotDescription, token_info.label, sizeof(info->slotDescription)); ++ str_padded_copy(info->manufacturerID, token_info.manufacturerID); ++ str_padded_copy(info->slotDescription, token_info.label); + + info->hardwareVersion = token_info.hardwareVersion; + info->firmwareVersion = token_info.firmwareVersion; +diff --git a/src/lib/token.c b/src/lib/token.c +index 6d7ebd27..c7211296 100644 +--- a/src/lib/token.c ++++ b/src/lib/token.c +@@ -317,8 +317,8 @@ CK_RV token_get_info (token *t, CK_TOKEN_INFO *info) { + } + + // Identification +- str_padded_copy(info->label, t->label, sizeof(info->label)); +- str_padded_copy(info->serialNumber, (unsigned char*) TPM2_TOKEN_SERIAL_NUMBER, sizeof(info->serialNumber)); ++ str_padded_copy(info->label, t->label); ++ str_padded_copy(info->serialNumber, TPM2_TOKEN_SERIAL_NUMBER); + + + // Memory: TODO not sure what memory values should go here, the platform? +diff --git a/src/lib/tpm.c b/src/lib/tpm.c +index 1639df48..7f9f052a 100644 +--- a/src/lib/tpm.c ++++ b/src/lib/tpm.c +@@ -740,15 +740,14 @@ CK_RV tpm_get_token_info (tpm_ctx *ctx, CK_TOKEN_INFO *info) { + unsigned char manufacturerID[sizeof(UINT32)+1] = {0}; // 4 bytes + '\0' as temp storage + UINT32 manufacturer = ntohl(tpmProperties[TPM2_PT_MANUFACTURER - TPM2_PT_FIXED].value); + memcpy(manufacturerID, (unsigned char*) &manufacturer, sizeof(uint32_t)); +- str_padded_copy(info->manufacturerID, manufacturerID, sizeof(info->manufacturerID)); ++ str_padded_copy(info->manufacturerID, manufacturerID); + + // Map human readable Manufacturer String, if available, + // otherwise 4 byte ID was already padded and will be used. + for (unsigned int i=0; i < ARRAY_LEN(TPM2_MANUFACTURER_MAP); i++){ + if (!strncasecmp((char *)info->manufacturerID, TPM2_MANUFACTURER_MAP[i][0], 4)) { + str_padded_copy(info->manufacturerID, +- (unsigned char *)TPM2_MANUFACTURER_MAP[i][1], +- sizeof(info->manufacturerID)); ++ (unsigned char *)TPM2_MANUFACTURER_MAP[i][1]); + } + } + +@@ -758,7 +757,7 @@ CK_RV tpm_get_token_info (tpm_ctx *ctx, CK_TOKEN_INFO *info) { + vendor[1] = ntohl(tpmProperties[TPM2_PT_VENDOR_STRING_2 - TPM2_PT_FIXED].value); + vendor[2] = ntohl(tpmProperties[TPM2_PT_VENDOR_STRING_3 - TPM2_PT_FIXED].value); + vendor[3] = ntohl(tpmProperties[TPM2_PT_VENDOR_STRING_4 - TPM2_PT_FIXED].value); +- str_padded_copy(info->model, (unsigned char*) &vendor, sizeof(info->model)); ++ str_padded_copy(info->model, (unsigned char*) &vendor); + + return CKR_OK; + } +diff --git a/src/lib/utils.h b/src/lib/utils.h +index 81c61fae..cf357464 100644 +--- a/src/lib/utils.h ++++ b/src/lib/utils.h +@@ -39,9 +39,11 @@ + + int str_to_ul(const char *val, size_t *res); + +-static inline void str_padded_copy(CK_UTF8CHAR_PTR dst, const CK_UTF8CHAR_PTR src, size_t dst_len) { ++#define str_padded_copy(dst, src) _str_padded_copy(dst, sizeof(dst), src, strnlen((const char *)src, sizeof(src))) ++static inline void _str_padded_copy(CK_UTF8CHAR_PTR dst, size_t dst_len, const CK_UTF8CHAR *src, size_t src_len) { + memset(dst, ' ', dst_len); +- memcpy(dst, src, strnlen((char *)(src), dst_len)); ++ memcpy(dst, src, src_len); ++ LOGE("BILL(%zu): %.*s\n", dst_len, dst_len, dst); + } + + twist utils_hash_pass(const twist pin, const twist salt); + +From afeae8a3846e06152fafb180077fbad4381a124d Mon Sep 17 00:00:00 2001 +From: William Roberts <william.c.roberts@intel.com> +Date: Wed, 5 May 2021 14:09:27 -0500 +Subject: [PATCH 3/4] general: drop unused macros + +Signed-off-by: William Roberts <william.c.roberts@intel.com> +--- + src/lib/general.h | 10 ---------- + 1 file changed, 10 deletions(-) + +diff --git a/src/lib/general.h b/src/lib/general.h +index 356c142d..b3089554 100644 +--- a/src/lib/general.h ++++ b/src/lib/general.h +@@ -7,17 +7,7 @@ + + #include "pkcs11.h" + +-#define TPM2_TOKEN_LABEL "TPM2 PKCS#11 Token" +-#define TPM2_TOKEN_MANUFACTURER "Intel" +-#define TPM2_TOKEN_MODEL "TPM2 PKCS#11" + static const CK_UTF8CHAR TPM2_TOKEN_SERIAL_NUMBER[] = "0000000000000000"; +-#define TPM2_TOKEN_HW_VERSION { 0, 0 } +-#define TPM2_TOKEN_FW_VERSION { 0, 0 } +- +-#define TPM2_SLOT_DESCRIPTION "Intel TPM2.0 Cryptoki" +-#define TPM2_SLOT_MANUFACTURER TPM2_TOKEN_MANUFACTURER +-#define TPM2_SLOT_HW_VERSION TPM2_TOKEN_HW_VERSION +-#define TPM2_SLOT_FW_VERSION TPM2_TOKEN_FW_VERSION + + CK_RV general_init(void *init_args); + CK_RV general_get_func_list(CK_FUNCTION_LIST **function_list); + +From 8b43a99c5ff604d890bdc23fd2fa5f98aa087d83 Mon Sep 17 00:00:00 2001 +From: William Roberts <william.c.roberts@intel.com> +Date: Wed, 5 May 2021 14:11:04 -0500 +Subject: [PATCH 4/4] token: move TPM2_TOKEN_SERIAL_NUMBER local to use + +Signed-off-by: William Roberts <william.c.roberts@intel.com> +--- + src/lib/general.h | 2 -- + src/lib/token.c | 2 ++ + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/lib/general.h b/src/lib/general.h +index b3089554..9afd61ec 100644 +--- a/src/lib/general.h ++++ b/src/lib/general.h +@@ -7,8 +7,6 @@ + + #include "pkcs11.h" + +-static const CK_UTF8CHAR TPM2_TOKEN_SERIAL_NUMBER[] = "0000000000000000"; +- + CK_RV general_init(void *init_args); + CK_RV general_get_func_list(CK_FUNCTION_LIST **function_list); + CK_RV general_get_info(CK_INFO *info); +diff --git a/src/lib/token.c b/src/lib/token.c +index c7211296..63a9a71b 100644 +--- a/src/lib/token.c ++++ b/src/lib/token.c +@@ -20,6 +20,8 @@ + #include "token.h" + #include "utils.h" + ++static const CK_UTF8CHAR TPM2_TOKEN_SERIAL_NUMBER[] = "0000000000000000"; ++ + void pobject_config_free(pobject_config *c) { + + if (c->is_transient) { diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.5.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.6.0.bb index d53d4fa86..63ec18d94 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.5.0.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.6.0.bb @@ -4,13 +4,15 @@ SECTION = "security/tpm" LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=0fc19f620a102768d6dbd1e7166e78ab" -DEPENDS = "autoconf-archive pkgconfig dstat sqlite3 openssl libtss2-dev tpm2-tools libyaml python3-setuptools-native" +DEPENDS = "autoconf-archive pkgconfig dstat sqlite3 openssl libtss2-dev tpm2-tools libyaml p11-kit python3-setuptools-native" -SRC_URI = "git://github.com/tpm2-software/tpm2-pkcs11.git;branch=1.X \ +SRC_URI = "git://github.com/tpm2-software/tpm2-pkcs11.git;branch=master \ file://bootstrap_fixup.patch \ - file://0001-remove-local-binary-checkes.patch" + file://0001-remove-local-binary-checkes.patch \ + file://677.patch \ + " -SRCREV = "5d583351028eebd470f50ec35db5dcf00533df31" +SRCREV = "c2d53cc1af6b9df13c832715442853b21048c273" S = "${WORKDIR}/git" @@ -26,6 +28,10 @@ do_compile_append() { } do_install_append() { + install -d ${D}${libdir}/pkcs11 + install -d ${D}${datadir}/p11-kit + rm -f ${D}${libdir}/pkcs11/libtpm2_pkcs11.so + cd ${S}/tools export PYTHONPATH="${D}${PYTHON_SITEPACKAGES_DIR}" ${PYTHON_PN} setup.py install --root="${D}" --prefix="${prefix}" --install-lib="${PYTHON_SITEPACKAGES_DIR}" --optimize=1 --skip-build @@ -33,12 +39,17 @@ do_install_append() { sed -i -e "s:${PYTHON}:${USRBINPATH}/env ${PYTHON_PN}:g" "${D}${bindir}"/tpm2_ptool } -RDEPNDS_${PN} = "tpm2-tools" - PACKAGES =+ "${PN}-tools" -RDEPENDS_${PN}-tools += "${PYTHON_PN}-setuptools ${PYTHON_PN}-pyyaml ${PYTHON_PN}-cryptography ${PYTHON_PN}-pyasn1-modules" FILES_${PN}-tools = "\ ${bindir}/tpm2_ptool \ ${libdir}/${PYTHON_DIR}/* \ -" + " + +FILES_${PN} += "\ + ${libdir}/pkcs11/* \ + ${datadir}/p11-kit/* \ + " + +RDEPNDS_${PN} = "tpm2-tools" +RDEPENDS_${PN}-tools += "${PYTHON_PN}-setuptools ${PYTHON_PN}-pyyaml ${PYTHON_PN}-cryptography ${PYTHON_PN}-pyasn1-modules" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.0.3.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.0.3.bb index b2486e5be..cc4f191a2 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.0.3.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.0.3.bb @@ -17,7 +17,7 @@ PACKAGECONFIG ??= "" PACKAGECONFIG[oxygen] = ",--disable-doxygen-doc, " PACKAGECONFIG[fapi] = "--enable-fapi,--disable-fapi,json-c " -EXTRA_OECONF += "--enable-static --with-udevrulesdir=${base_prefix}/lib/udev/rules.d/" +EXTRA_OECONF += "--enable-static --with-udevrulesdir=${nonarch_base_libdir}/udev/rules.d/" EXTRA_OECONF_remove = " --disable-static" @@ -73,6 +73,6 @@ FILES_libtss2-dev = " \ ${libdir}/libtss2*so" FILES_libtss2-staticdev = "${libdir}/libtss*a" -FILES_${PN} = "${libdir}/udev ${base_prefix}/lib/udev" +FILES_${PN} = "${libdir}/udev ${nonarch_base_libdir}/udev" RDEPENDS_libtss2 = "libgcrypt" |