commit e3807568adf07e757d01fb8a20f3d79fcabfc61b · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

tpm2-pkcs11: fix fapi configure option; split tpm2-pkcs11-{esapi,fapi}

Per documentation at:
https://github.com/tpm2-software/tpm2-pkcs11/blob/master/docs/FAPI.md
the ESAPI support for tpm2-pkcs11 creates a fundamentally different
package, so split it into two new attributes: tpm2-pkcs11-esapi and
tpm2-pkcs11-fapi.

The existing package is unchanged, supporting both FAPI and esysdb, and
also requiring TPM2_PKCS11_BACKEND=fapi to be exported to use FAPI.

The tpm2-pkcs11-esapi attribute has fapi support compiled out and uses
esysdb all the time.

The tpm2-pkcs11-fapi attribute takes the extra step of applying a patch
that causes tpm2-pkcs11 to default to using FAPI, without needing to
export TPM2_PKCS11_BACKEND=fapi. However, TPM2_PKCS11_BACKEND=esysdb can
still be exported and will work.

Morgan Jones 9 months ago e3807568 8e7cc728

+88 -7

4 changed files

expand all

unified split

pkgs

by-name

tpm2-pkcs11

default-to-fapi.patch

package.nix

tpm2-pkcs11-esapi

package.nix

tpm2-pkcs11-fapi

package.nix

+12

pkgs/by-name/tp/tpm2-pkcs11-esapi/package.nix

··· 1 + { 2 + tpm2-pkcs11, 3 + ... 4 + }@args: 5 + 6 + tpm2-pkcs11.override ( 7 + args 8 + // { 9 + fapiSupport = false; 10 + extraDescription = "Disables FAPI support, as if TPM2_PKCS11_BACKEND were always set to 'esysdb'."; 11 + } 12 + )

+13

pkgs/by-name/tp/tpm2-pkcs11-fapi/package.nix

··· 1 + { 2 + tpm2-pkcs11, 3 + ... 4 + }@args: 5 + 6 + tpm2-pkcs11.override ( 7 + args 8 + // { 9 + fapiSupport = true; 10 + defaultToFapi = true; 11 + extraDescription = "Enables fapi by default, as if TPM2_PKCS11_BACKEND defaulted to 'fapi'."; 12 + } 13 + )

+33

pkgs/by-name/tp/tpm2-pkcs11/default-to-fapi.patch

··· 1 + From 648f0d08953152185e13feaca4feda02f8665341 Mon Sep 17 00:00:00 2001 2 + From: Morgan Jones <me@numin.it> 3 + Date: Wed, 9 Apr 2025 00:12:47 -0700 4 + Subject: [PATCH] backend: default to fapi 5 + 6 + --- 7 + src/lib/backend.c | 8 ++++---- 8 + 1 file changed, 4 insertions(+), 4 deletions(-) 9 + 10 + diff --git a/src/lib/backend.c b/src/lib/backend.c 11 + index 128f58b..8404afe 100644 12 + --- a/src/lib/backend.c 13 + +++ b/src/lib/backend.c 14 + @@ -15,12 +15,12 @@ static enum backend get_backend(void) { 15 + 16 + const char *env = getenv("TPM2_PKCS11_BACKEND"); 17 + 18 + - if (!env || !strcasecmp(env, "esysdb")) { 19 + - return backend_esysdb; 20 + + if (!env || !strcasecmp(env, "fapi")) { 21 + + return backend_fapi; 22 + } 23 + 24 + - if (!strcasecmp(env, "fapi")) { 25 + - return backend_fapi; 26 + + if (!strcasecmp(env, "esysdb")) { 27 + + return backend_esysdb; 28 + } 29 + 30 + return backend_error; 31 + -- 32 + 2.47.0 33 +

+30 -7

pkgs/by-name/tp/tpm2-pkcs11/package.nix

··· 26 26 swtpm, 27 27 tpm2-abrmd, 28 28 tpm2-openssl, 29 - tpm2-pkcs11, # for passthru abrmd tests 29 + tpm2-pkcs11, # for passthru tests 30 + tpm2-pkcs11-esapi, 31 + tpm2-pkcs11-fapi, 30 32 tpm2-tools, 31 33 tpm2-tss, 32 34 which, 33 35 xxd, 34 36 abrmdSupport ? false, 35 37 fapiSupport ? true, 38 + defaultToFapi ? false, 36 39 enableFuzzing ? false, 40 + extraDescription ? null, 37 41 }: 38 42 39 43 let ··· 51 55 }; 52 56 53 57 # Disable Java‐based tests because of missing dependencies 54 - patches = [ ./disable-java-integration.patch ]; 58 + patches = 59 + lib.singleton ./disable-java-integration.patch 60 + ++ lib.optional defaultToFapi ./default-to-fapi.patch; 55 61 56 62 postPatch = '' 57 63 echo ${lib.escapeShellArg finalAttrs.version} >VERSION ··· 80 86 [ 81 87 (lib.enableFeature finalAttrs.doCheck "unit") 82 88 (lib.enableFeature finalAttrs.doCheck "integration") 89 + 90 + # Strangely, it uses --with-fapi=yes|no instead of a normal configure flag. 91 + "--with-fapi=${if fapiSupport then "yes" else "no"}" 83 92 ] 84 93 ++ lib.optionals enableFuzzing [ 85 94 "--enable-fuzzing" 86 95 "--disable-hardening" 87 - ] 88 - ++ lib.optional fapiSupport "--with-fapi"; 96 + ]; 89 97 90 98 strictDeps = true; 91 99 ··· 178 186 179 187 # Enable tests to load TPM2 OpenSSL module 180 188 export OPENSSL_MODULES="${openssl-modules}/lib/ossl-modules" 189 + '' 190 + + lib.optionalString defaultToFapi '' 191 + # Need to change the default since the tests expect the other way. 192 + export TPM2_PKCS11_BACKEND=esysdb 181 193 ''; 182 194 183 195 postInstall = '' ··· 211 223 ''; 212 224 213 225 passthru = { 214 - tests.tpm2-pkcs11-abrmd = tpm2-pkcs11.override { 215 - abrmdSupport = true; 226 + tests = { 227 + inherit tpm2-pkcs11-esapi tpm2-pkcs11-fapi; 228 + tpm2-pkcs11-abrmd = tpm2-pkcs11.override { 229 + abrmdSupport = true; 230 + }; 231 + tpm2-pkcs11-esapi-abrmd = tpm2-pkcs11-esapi.override { 232 + abrmdSupport = true; 233 + }; 234 + tpm2-pkcs11-fapi-abrmd = tpm2-pkcs11-fapi.override { 235 + abrmdSupport = true; 236 + }; 216 237 }; 217 238 }; 218 239 219 240 meta = { 220 - description = "PKCS#11 interface for TPM2 hardware"; 241 + description = 242 + "PKCS#11 interface for TPM2 hardware." 243 + + lib.optionalString (extraDescription != null) " ${extraDescription}"; 221 244 homepage = "https://github.com/tpm2-software/tpm2-pkcs11"; 222 245 license = lib.licenses.bsd2; 223 246 platforms = lib.platforms.linux;