Re: [Buildroot] [PATCH v3 2/2] package/tpm2-tss-engine: add version 1.2.0

From: Thomas Petazzoni via buildroot <buildroot@buildroot.org>
To: Abelino Romo <abelino.romo@gmail.com>
Cc: buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH v3 2/2] package/tpm2-tss-engine: add version 1.2.0
Date: Tue, 23 Dec 2025 22:23:58 +0100	[thread overview]
Message-ID: <20251223222358.51a05729@windsurf> (raw)
In-Reply-To: <20241129221324.360497-1-abelino.romo@gmail.com>

Hello Abelino,

Sorry for the very very long delay in getting back to you. I wanted to
apply this, but unfortunately, it causes a build failure when
BR2_PACKAGE_TPM2_TSS_ENGINE_DIGEST_SIGN is enabled:

src/tpm2-tss-engine-ecc.c: In function ‘init_ecc’:
src/tpm2-tss-engine-ecc.c:864:46: error: passing argument 2 of ‘EVP_PKEY_meth_get_copy’ from incompatible pointer type [-Wincompatible-pointer-types]
  864 |     EVP_PKEY_meth_get_copy(pkey_ecc_methods, &ecdsa_pkey_orig_copy);
      |                                              ^~~~~~~~~~~~~~~~~~~~~
      |                                              |
      |                                              int (**)(EVP_PKEY_CTX *, EVP_PKEY_CTX *) {aka int (**)(struct evp_pkey_ctx_st *, struct evp_pkey_ctx_st *)}

src/tpm2-tss-engine-ecc.c:867:46: error: passing argument 2 of ‘EVP_PKEY_meth_set_copy’ from incompatible pointer type [-Wincompatible-pointer-types]
  867 |     EVP_PKEY_meth_set_copy(pkey_ecc_methods, ecdsa_pkey_copy);
      |                                              ^~~~~~~~~~~~~~~
      |                                              |
      |                                              int (*)(EVP_PKEY_CTX *, EVP_PKEY_CTX *) {aka int (*)(struct evp_pkey_ctx_st *, struct evp_pkey_ctx_st *)}

etc.

Please see some more small comments below that I had fixed locally, but
that would be needed for your v4.

First, the commit title should be just:

	package/tpm2-tss-engine: new package

On Fri, 29 Nov 2024 14:13:24 -0800
Abelino Romo <abelino.romo@gmail.com> wrote:

> Introduce the TPM2-TSS OpenSSL Engine to enable TPM2 device support in
> ecosystems that do not yet support OpenSSL Providers. This is
> particularly useful in the Erlang space, where OpenSSL 3 Providers are
> still under development [1].
> 
> [1] https://erlangforums.com/t/openssl-3-support-for-provider-deprecated-engine-replacement/2954/2
> 
> Signed-off-by: Abelino Romo <abelino.romo@gmail.com>
> ---
> Changes v2 -> v3:
>   - Use manually uploaded tarball - the artifact from releases/download URL -
> 	  and not the archive tarball.
> 	  (suggested by Thomas Petazzoni in tpm2-tss patch thread)
> 
> 	- Updated Signed-Off formatting.
> 	  (suggested by Thomas Petazzoni in tpm2-tss patch thread)
> 
>  package/Config.in                             |  1 +
>  ...-disabling-of-digest-sign-operations.patch | 46 +++++++++++++++++++
>  package/tpm2-tss-engine/Config.in             | 21 +++++++++
>  package/tpm2-tss-engine/tpm2-tss-engine.hash  |  3 ++
>  package/tpm2-tss-engine/tpm2-tss-engine.mk    | 33 +++++++++++++
>  5 files changed, 104 insertions(+)

Please add an entry in the DEVELOPERS file.

> diff --git a/package/tpm2-tss-engine/Config.in b/package/tpm2-tss-engine/Config.in
> new file mode 100644
> index 0000000000..00f8ac7632
> --- /dev/null
> +++ b/package/tpm2-tss-engine/Config.in
> @@ -0,0 +1,21 @@
> +config BR2_PACKAGE_TPM2_TSS_ENGINE
> +	bool "tpm2-tss-engine"
> +	select BR2_PACKAGE_TPM2_TSS
> +	select BR2_PACKAGE_LIBOPENSSL_ENGINES
> +	help
> +	  The tpm2-tss-engine project implements a cryptographic engine
> +	  for OpenSSL for Trusted Platform Module (TPM 2.0) using the
> +	  tpm2-tss software stack that follows the Trusted Computing
> +	  Groups (TCG) TPM Software Stack (TSS 2.0). It uses the
> +	  Enhanced System API (ESAPI) interface of the TSS 2.0 for
> +	  downwards communication. It supports RSA decryption and
> +	  signatures as well as ECDSA signatures.

Please add:

+         https://github.com/tpm2-software/tpm2-tss-engine/

> +# Since the OpenSSL 3.0 Engine APIs are deprecated, suppress the warnings.
> +TPM2_TSS_ENGINE_CFLAGS = $(TARGET_CFLAGS) -Wno-deprecated-declarations
> +TPM2_TSS_ENGINE_CONF_ENV += CFLAGS="$(TPM2_TSS_ENGINE_CFLAGS)"

Change this to:

+# Since the OpenSSL 3.0 Engine APIs are deprecated, suppress the warnings.
+TPM2_TSS_ENGINE_CONF_ENV = \
+       CFLAGS="$(TARGET_CFLAGS) -Wno-deprecated-declarations"

> +define TPM2_TSS_ENGINE_ENGINESDIR
> +	$(PKG_CONFIG_HOST_BINARY) --variable=enginesdir libcrypto \
> +		| xargs readlink -f \
> +		| sed 's%^$(STAGING_DIR)%%'
> +endef
> +
> +TPM2_TSS_ENGINE_CONF_OPTS = \
> +	--disable-defaultflags \
> +	--with-enginesdir=`$(TPM2_TSS_ENGINE_ENGINESDIR)`

This to:

+# pkg-config returns a libcrypto enginesdir prefixed with the sysroot,
+# so let's rip it out.
+TPM2_TSS_ENGINE_CONF_OPTS = \
+       --disable-defaultflags \
+       --with-enginesdir=`$(PKG_CONFIG_HOST_BINARY) --variable enginesdir libcrypto | xargs readlink -f | sed 's%^$(STAGING_DIR)%%'`

> +ifneq ($(BR2_PACKAGE_TPM2_TSS_ENGINE_DIGEST_SIGN),y)
> +TPM2_TSS_ENGINE_CONF_OPTS += --disable-digestsign
> +endif

And this to:

+ifeq ($(BR2_PACKAGE_TPM2_TSS_ENGINE_DIGEST_SIGN),y)
+TPM2_TSS_ENGINE_CONF_OPTS += --enable-digestsign
+else
+TPM2_TSS_ENGINE_CONF_OPTS += --disable-digestsign
+endif

Thanks a lot!

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot