pyrox.dev / nixpkgs
lol
fork atom

tpm2-pkcs11: fix fapi configure option; split tpm2-pkcs11-{esapi,fapi}

Per documentation at:
https://github.com/tpm2-software/tpm2-pkcs11/blob/master/docs/FAPI.md
the ESAPI support for tpm2-pkcs11 creates a fundamentally different
package, so split it into two new attributes: tpm2-pkcs11-esapi and
tpm2-pkcs11-fapi.

The existing package is unchanged, supporting both FAPI and esysdb, and
also requiring TPM2_PKCS11_BACKEND=fapi to be exported to use FAPI.

The tpm2-pkcs11-esapi attribute has fapi support compiled out and uses
esysdb all the time.

The tpm2-pkcs11-fapi attribute takes the extra step of applying a patch
that causes tpm2-pkcs11 to default to using FAPI, without needing to
export TPM2_PKCS11_BACKEND=fapi. However, TPM2_PKCS11_BACKEND=esysdb can
still be exported and will work.

Morgan Jones e3807568 8e7cc728

+88 -7
unified split
+12
pkgs/by-name/tp/tpm2-pkcs11-esapi/package.nix
···
··· 1 + { 2 + tpm2-pkcs11, 3 + ... 4 + }@args: 5 + 6 + tpm2-pkcs11.override ( 7 + args 8 + // { 9 + fapiSupport = false; 10 + extraDescription = "Disables FAPI support, as if TPM2_PKCS11_BACKEND were always set to 'esysdb'."; 11 + } 12 + )
+13
pkgs/by-name/tp/tpm2-pkcs11-fapi/package.nix
···
··· 1 + { 2 + tpm2-pkcs11, 3 + ... 4 + }@args: 5 + 6 + tpm2-pkcs11.override ( 7 + args 8 + // { 9 + fapiSupport = true; 10 + defaultToFapi = true; 11 + extraDescription = "Enables fapi by default, as if TPM2_PKCS11_BACKEND defaulted to 'fapi'."; 12 + } 13 + )
+33
pkgs/by-name/tp/tpm2-pkcs11/default-to-fapi.patch
···
··· 1 + From 648f0d08953152185e13feaca4feda02f8665341 Mon Sep 17 00:00:00 2001 2 + From: Morgan Jones <me@numin.it> 3 + Date: Wed, 9 Apr 2025 00:12:47 -0700 4 + Subject: [PATCH] backend: default to fapi 5 + 6 + --- 7 + src/lib/backend.c | 8 ++++---- 8 + 1 file changed, 4 insertions(+), 4 deletions(-) 9 + 10 + diff --git a/src/lib/backend.c b/src/lib/backend.c 11 + index 128f58b..8404afe 100644 12 + --- a/src/lib/backend.c 13 + +++ b/src/lib/backend.c 14 + @@ -15,12 +15,12 @@ static enum backend get_backend(void) { 15 + 16 + const char *env = getenv("TPM2_PKCS11_BACKEND"); 17 + 18 + - if (!env || !strcasecmp(env, "esysdb")) { 19 + - return backend_esysdb; 20 + + if (!env || !strcasecmp(env, "fapi")) { 21 + + return backend_fapi; 22 + } 23 + 24 + - if (!strcasecmp(env, "fapi")) { 25 + - return backend_fapi; 26 + + if (!strcasecmp(env, "esysdb")) { 27 + + return backend_esysdb; 28 + } 29 + 30 + return backend_error; 31 + -- 32 + 2.47.0 33 +
+30 -7
pkgs/by-name/tp/tpm2-pkcs11/package.nix
··· 26 swtpm, 27 tpm2-abrmd, 28 tpm2-openssl, 29 - tpm2-pkcs11, # for passthru abrmd tests 30 tpm2-tools, 31 tpm2-tss, 32 which, 33 xxd, 34 abrmdSupport ? false, 35 fapiSupport ? true, 36 enableFuzzing ? false, 37 }: 38 39 let ··· 51 }; 52 53 # Disable Java‐based tests because of missing dependencies 54 - patches = [ ./disable-java-integration.patch ]; 55 56 postPatch = '' 57 echo ${lib.escapeShellArg finalAttrs.version} >VERSION ··· 80 [ 81 (lib.enableFeature finalAttrs.doCheck "unit") 82 (lib.enableFeature finalAttrs.doCheck "integration") 83 ] 84 ++ lib.optionals enableFuzzing [ 85 "--enable-fuzzing" 86 "--disable-hardening" 87 - ] 88 - ++ lib.optional fapiSupport "--with-fapi"; 89 90 strictDeps = true; 91 ··· 178 179 # Enable tests to load TPM2 OpenSSL module 180 export OPENSSL_MODULES="${openssl-modules}/lib/ossl-modules" 181 ''; 182 183 postInstall = '' ··· 211 ''; 212 213 passthru = { 214 - tests.tpm2-pkcs11-abrmd = tpm2-pkcs11.override { 215 - abrmdSupport = true; 216 }; 217 }; 218 219 meta = { 220 - description = "PKCS#11 interface for TPM2 hardware"; 221 homepage = "https://github.com/tpm2-software/tpm2-pkcs11"; 222 license = lib.licenses.bsd2; 223 platforms = lib.platforms.linux;
··· 26 swtpm, 27 tpm2-abrmd, 28 tpm2-openssl, 29 + tpm2-pkcs11, # for passthru tests 30 + tpm2-pkcs11-esapi, 31 + tpm2-pkcs11-fapi, 32 tpm2-tools, 33 tpm2-tss, 34 which, 35 xxd, 36 abrmdSupport ? false, 37 fapiSupport ? true, 38 + defaultToFapi ? false, 39 enableFuzzing ? false, 40 + extraDescription ? null, 41 }: 42 43 let ··· 55 }; 56 57 # Disable Java‐based tests because of missing dependencies 58 + patches = 59 + lib.singleton ./disable-java-integration.patch 60 + ++ lib.optional defaultToFapi ./default-to-fapi.patch; 61 62 postPatch = '' 63 echo ${lib.escapeShellArg finalAttrs.version} >VERSION ··· 86 [ 87 (lib.enableFeature finalAttrs.doCheck "unit") 88 (lib.enableFeature finalAttrs.doCheck "integration") 89 + 90 + # Strangely, it uses --with-fapi=yes|no instead of a normal configure flag. 91 + "--with-fapi=${if fapiSupport then "yes" else "no"}" 92 ] 93 ++ lib.optionals enableFuzzing [ 94 "--enable-fuzzing" 95 "--disable-hardening" 96 + ]; 97 98 strictDeps = true; 99 ··· 186 187 # Enable tests to load TPM2 OpenSSL module 188 export OPENSSL_MODULES="${openssl-modules}/lib/ossl-modules" 189 + '' 190 + + lib.optionalString defaultToFapi '' 191 + # Need to change the default since the tests expect the other way. 192 + export TPM2_PKCS11_BACKEND=esysdb 193 ''; 194 195 postInstall = '' ··· 223 ''; 224 225 passthru = { 226 + tests = { 227 + inherit tpm2-pkcs11-esapi tpm2-pkcs11-fapi; 228 + tpm2-pkcs11-abrmd = tpm2-pkcs11.override { 229 + abrmdSupport = true; 230 + }; 231 + tpm2-pkcs11-esapi-abrmd = tpm2-pkcs11-esapi.override { 232 + abrmdSupport = true; 233 + }; 234 + tpm2-pkcs11-fapi-abrmd = tpm2-pkcs11-fapi.override { 235 + abrmdSupport = true; 236 + }; 237 }; 238 }; 239 240 meta = { 241 + description = 242 + "PKCS#11 interface for TPM2 hardware." 243 + + lib.optionalString (extraDescription != null) " ${extraDescription}"; 244 homepage = "https://github.com/tpm2-software/tpm2-pkcs11"; 245 license = lib.licenses.bsd2; 246 platforms = lib.platforms.linux;