Re: [Buildroot] [PATCH 1/1] package/tpm2-tss: needs host-acl

From: "Yann E. MORIN" <yann.morin.1998@free.fr>
To: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Cc: Yair Ben-Avraham <yairba@protonmail.com>,
	Thomas Petazzoni <thomas.petazzoni@bootlin.com>,
	Buildroot Mailing List <buildroot@buildroot.org>
Subject: Re: [Buildroot] [PATCH 1/1] package/tpm2-tss: needs host-acl
Date: Sat, 6 Nov 2021 15:56:58 +0100	[thread overview]
Message-ID: <20211106145658.GA680793@scaer> (raw)
In-Reply-To: <CAPi7W83t+A1eip2Ewr7pTwm+PZmUgTWq_MOuaH5UswHtbPSjiQ@mail.gmail.com>

Fabrice, Thomas, Yair, All,

On 2021-10-19 23:28 +0200, Fabrice Fontaine spake thusly:
> Le lun. 18 oct. 2021 à 22:35, Thomas Petazzoni
> <thomas.petazzoni@bootlin.com> a écrit :
> > On Wed, 13 Oct 2021 08:54:46 +0200
> > Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:
> > > Add host-acl mandatory dependency for setfacl to avoid the following
> > > build failure since bump to version 3.1.0 in commit
> > > 470e2e9bc5211184431fbc868359a9d695e624f4 and
> > > https://github.com/tpm2-software/tpm2-tss/commit/9d42f4dbde6a94724e95d57c333cda7711dda57c:
> > So this commit adds:
> > # Check all tools used by make install
> > AS_IF([test "$HOSTOS" = "Linux"],
> >       [ERROR_IF_NO_PROG([groupadd])
> >        ERROR_IF_NO_PROG([useradd])
> >        ERROR_IF_NO_PROG([id])
> >        ERROR_IF_NO_PROG([chown])
> >        ERROR_IF_NO_PROG([chmod])
> >        ERROR_IF_NO_PROG([mkdir])
> >        ERROR_IF_NO_PROG([setfacl])])
> >
> > But in the context of Buildroot, using groupadd, useradd, chown, chmod,
> > setfacl at install time cannot work, since we're not doing "make
> > install" as root.
> >
> > So are we sure that adding host-acl as a dependency to get a host
> > variant of setfacl is really the good solution?
> >
> > How is it handled for groupadd/useradd/chown/chmod today ?
> groupadd/useradd/chown/chmod are called since version 3.0.0 and
> https://github.com/tpm2-software/tpm2-tss/commit/d01c24e6cb095e18c5e29af4a3018010b3230a6d
> 
> setfacl is called since version 3.0.0 and
> https://github.com/tpm2-software/tpm2-tss/commit/811e451c94254496338d36783cda44a7729b085a
> 
> But more importantly, all those functions are not even used on a
> target without systemd and a host with
> systemd-{sysusers,tmpfiles} because tpm2-tss try to install files in
> $(TARGET_DIR)/etc/{sysusers,tmpfiles}.d which don't even exist if
> BR2_INIT_SYSTEMD is not set.
> Even if BR2_INIT_SYSTEMD is set, the path is wrong as it should be
> installed in $(TARGET_DIR)/usr/lib/{sysusers,tmpfiles}.d
> 
> To conclude, I would say that install of tpm2-tss is partially broken
> since at least bump to version 3.0.0 in commit
> 89f3d90e24bb24b70fc4a37bf8cff6186672475c.

Agreed, the install is borked because it is looking for programs at
configure time, so it finds those on the host if they exist, or do not
find any at all, which can very well differ from what will be present
on the target.

But I would say that this is not totally unreasonable: there is no way,
at cross-configure time, for a package to find the tools that will be
present at runtime.

All we can do in such a case it force the path to such tools.

However, in this case, tpm2-tss only uses setfacl if systemd-tmpfiles is
not available. If the call to setfacl fails, the install does not fail
(split on two lines for readability):

    @-$(call make_fapi_dirs) && $(call set_fapi_permissions) \
    || echo "WARNING Failed to create the FAPI directories with the correct permissions"

set_fapi_permissions is a macro that eventually expands to:

    (chown -R tss:tss "$1") && \
    (chmod -R 2775 "$1") && \
    (setfacl -m default:group:tss:rwx "$1")

So the call to setfacl will not even be ever attempted, because the
chown will fail first.

We have three solutions to that:

  - either we force the use of systemd-tmpfiles when tpm2-tss is
    enabled,

  - or we disable tpm2-tss if systemd-tmpfiles is not enabled,

  - or we just configure tpm2-tss with ac_cv_prog_result_setfacl=true,
    and let the install use the fallback path and be done with it.

So, this would fix the immediate issue.

Now there would remain the issue that some features of tpm2-tss sill be
incorrectly enabled/disabled depending on whther the host has or is
missing systemd-users and/or systemd-tmpfiles:

    # Check for systemd helper tools used by make install
    AC_CHECK_PROG(systemd_sysusers, systemd-sysusers, yes)
    AM_CONDITIONAL(SYSD_SYSUSERS, test "x$systemd_sysusers" = "xyes")
    AC_CHECK_PROG(systemd_tmpfiles, systemd-tmpfiles, yes)
    AM_CONDITIONAL(SYSD_TMPFILES, test "x$systemd_tmpfiles" = "xyes")

In which case we would need to pass ac_cv_prog_systemd_sysusers=yes and
systemd_tmpfiles=yes when they are enabled in our config.

This would be for another patch, of course.

I'll see to send appropriate patches soonish.

Regards,
Yann E. MORIN.

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot