Re: [Buildroot] [PATCH v2,1/2] package/wolftpm: fix dependencies

From: Dimi Tomov <dimi@tpm.dev>
To: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Cc: "Yann E. MORIN" <yann.morin.1998@free.fr>,
	Buildroot Mailing List <buildroot@buildroot.org>
Subject: Re: [Buildroot] [PATCH v2,1/2] package/wolftpm: fix dependencies
Date: Wed, 15 Jun 2022 10:34:25 +0300	[thread overview]
Message-ID: <20cbc6dcf8f37e19f415424b826962bf@tpm.dev> (raw)
In-Reply-To: <CAPi7W82UkmeW1uP8XrnOKvis_YpZZtCTg+6YHhTnnm5ke-w42Q@mail.gmail.com>

Hi Fabrice,

You are right. I will submit a v2 of my patch. It will be just about 
extra TPM 2.0 functionality.

I now remember that because the TPM RNG source is secure but rather 
slow, the default option was switched to SW RNG (Wolfcrypt) and then for 
security sensitive applications the RNG source is configurable through 
the WOLFTPM2_USE_HW_RNG define switch that you mention.

Thank you.

Thanks,
Dimi

On 2022-06-15 10:30 AM, Fabrice Fontaine wrote:
> Hi Dimi,
> 
> Le mer. 15 juin 2022 à 09:10, Dimi Tomov <dimi@tpm.dev> a écrit :
>> 
>> Hi Yann,
>> 
>> I just noticed one really bad typo. I could submit a patch that also
>> adds extra wolfTPM options, so it is not a one-word patch.
>> 
>> "Enable wolfCrypt hooks for RNG, Auth Sessions and Parameter 
>> encryption.
>> "
> 
> This sentence was copy/pasted from wolftpm's configure.ac/README.md:
> https://github.com/wolfSSL/wolfTPM/blob/160b3e04f6121aa7429f030c570bd86239ca01b8/configure.ac#L154
> I would advise to also send them a PR if this is incorrect.
> 
> However, after a quick search on upstream github, it seems that
> wolftpm supports hardware and software RNG through
> WOLFTPM2_USE_{HW,WOLF}_RNG:
> https://github.com/wolfSSL/wolfTPM/blob/160b3e04f6121aa7429f030c570bd86239ca01b8/wolftpm/tpm2_wrap.h#L1685
> 
> It even seems that WOLFTPM2_USE_HW_RNG is not defined by default
> resulting in WOLFTPM2_USE_WOLF_RNG being used as soon as wolfcrypt is
> available:
> https://github.com/wolfSSL/wolfTPM/blob/5dd781e4717422b717021ed1dd8aeb226d98e480/wolftpm/tpm2.h#L1694
> 
> So, IMHO, the sentence is not incorrect and an option to enable
> hardware RNG is needed.
> 
>> 
>> The TPM chip is the source of RNG. To claim that a TPM 2.0 library is
>> using a Software-based source of RNG would be a red flag for users. 
>> The
>> rest is accurate - wolfCrypt is used by wolfTPM to establish Session 
>> and
>> Parameter encryption between the Host CPU and the TPM chip.
>> 
>> Thanks,
>> Dimi
>> 
>> On 2022-06-12 06:19 PM, Yann E. MORIN wrote:
>> > Fabrice, All,
>> >
>> > On 2022-06-12 10:45 +0200, Fabrice Fontaine spake thusly:
>> >> pkg-config is not used by wolftpm and wolfssl dependency is missing
>> >> (and
>> >> optional but highly recommended) resulting in the following build
>> >> failure
>> >> since the addition of the package in commit
>> >> 4bb884a3c61c6b71e33f69453a90eb2a367f64b7:
>> >>
>> >> configure: error: WolfSSL library not found. You can get it from
>> >> http://www.wolfssl.com/download.html
>> >>         If it's already installed, specify its path using
>> >> --with-wolfcrypt=/dir or --prefix=/dir
>> >>
>> >> Fixes:
>> >>  -
>> >> http://autobuild.buildroot.org/results/77a93521b909e701ef4e86f18524258b9242c721
>> >>
>> >> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
>> >
>> > Both patches applied to master, thanks.
>> >
>> > Regards,
>> > Yann E. MORIN.
>> >
>> >> ---
>> >> Changes v1 -> v2 (after review of Dimi Tomov):
>> >>  - Add a wolfcrypt option which is enabled by default
>> >>
>> >>  package/wolftpm/Config.in  | 23 ++++++++++++++++++-----
>> >>  package/wolftpm/wolftpm.mk | 13 ++++++++++---
>> >>  2 files changed, 28 insertions(+), 8 deletions(-)
>> >>
>> >> diff --git a/package/wolftpm/Config.in b/package/wolftpm/Config.in
>> >> index 0fe094f277..0b964c3d7e 100644
>> >> --- a/package/wolftpm/Config.in
>> >> +++ b/package/wolftpm/Config.in
>> >> @@ -1,9 +1,5 @@
>> >>  config BR2_PACKAGE_WOLFTPM
>> >>      bool "wolftpm"
>> >> -    depends on BR2_TOOLCHAIN_HAS_THREADS
>> >> -    depends on !BR2_STATIC_LIBS
>> >> -    select BR2_PACKAGE_WOLFSSL
>> >> -    select BR2_PACKAGE_WOLFSSL_ALL
>> >>      help
>> >>        wolfTPM is a portable, open-source TPM 2.0 stack with
>> >>        backward API compatibility, designed for embedded use.
>> >> @@ -12,5 +8,22 @@ config BR2_PACKAGE_WOLFTPM
>> >>
>> >>        https://www.wolfssl.com/
>> >>
>> >> -comment "wolftpm needs a toolchain w/ threads, dynamic library"
>> >> +if BR2_PACKAGE_WOLFTPM
>> >> +
>> >> +config BR2_PACKAGE_WOLFTPM_WOLFCRYPT
>> >> +    bool "wolfCrypt hooks"
>> >> +    default y
>> >> +    depends on BR2_TOOLCHAIN_HAS_THREADS # wolfssl
>> >> +    depends on !BR2_STATIC_LIBS # wolfssl-all
>> >> +    select BR2_PACKAGE_WOLFSSL
>> >> +    # not mandatory, but needed to get all features
>> >> +    select BR2_PACKAGE_WOLFSSL_ALL
>> >> +    help
>> >> +      Enable wolfCrypt hooks for RNG, Auth Sessions and Parameter
>> >> +      encryption. Disabling this option is not recommended as it
>> >> +      could create a security breach in most environments.
>> >> +
>> >> +comment "wolfCrypt hooks need a toolchain w/ threads, dynamic
>> >> library"
>> >>      depends on !BR2_TOOLCHAIN_HAS_THREADS || BR2_STATIC_LIBS
>> >> +
>> >> +endif
>> >> diff --git a/package/wolftpm/wolftpm.mk b/package/wolftpm/wolftpm.mk
>> >> index ea01eaad6b..760656e134 100644
>> >> --- a/package/wolftpm/wolftpm.mk
>> >> +++ b/package/wolftpm/wolftpm.mk
>> >> @@ -10,7 +10,6 @@ WOLFTPM_INSTALL_STAGING = YES
>> >>  WOLFTPM_LICENSE = GPL-2.0+
>> >>  WOLFTPM_LICENSE_FILES = LICENSE
>> >>  WOLFTPM_CPE_ID_VENDOR = wolfssl
>> >> -WOLFTPM_DEPENDENCIES = host-pkgconf
>> >>  WOLFTPM_CONFIG_SCRIPTS = wolftpm-config
>> >>
>> >>  # wolfTPM's source code is released without a configure script,
>> >> @@ -19,8 +18,7 @@ WOLFTPM_AUTORECONF = YES
>> >>
>> >>  WOLFTPM_CONF_OPTS = \
>> >>      --disable-examples \
>> >> -    --enable-devtpm \
>> >> -    --with-wolfcrypt=$(STAGING_DIR)/usr
>> >> +    --enable-devtpm
>> >>
>> >>  # Fix for missing config.rpath in the codebase
>> >>  define WOLFTPM_TOUCH_CONFIG_RPATH
>> >> @@ -29,4 +27,13 @@ define WOLFTPM_TOUCH_CONFIG_RPATH
>> >>  endef
>> >>  WOLFTPM_PRE_CONFIGURE_HOOKS += WOLFTPM_TOUCH_CONFIG_RPATH
>> >>
>> >> +ifeq ($(BR2_PACKAGE_WOLFTPM_WOLFCRYPT),y)
>> >> +WOLFTPM_CONF_OPTS += \
>> >> +    --enable-wolfcrypt \
>> >> +    --with-wolfcrypt=$(STAGING_DIR)/usr
>> >> +WOLFTPM_DEPENDENCIES += wolfssl
>> >> +else
>> >> +WOLFTPM_CONF_OPTS += --disable-wolfcrypt
>> >> +endif
>> >> +
>> >>  $(eval $(autotools-package))
>> >> --
>> >> 2.35.1
>> >>
>> >> _______________________________________________
>> >> buildroot mailing list
>> >> buildroot@buildroot.org
>> >> https://lists.buildroot.org/mailman/listinfo/buildroot
>> 
>> --
>> Founder of TPM.dev
> 
> Best Regards,
> 
> Fabrice
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
Founder of TPM.dev
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot