[Buildroot] [PATCH 0/2] Add support for tpm2-tss v4.1.3 and tpm2-tss-engine v1.2.0

[Buildroot] [PATCH 0/2] Add support for tpm2-tss v4.1.3 and tpm2-tss-engine v1.2.0

[abelino]

This patch series introduces updates and additions for the TPM2 software stack,
specifically targeting the `tpm2-tss` and `tpm2-tss-engine` packages. These
updates have been tested and are in use on a project featuring an
Infineon SLB9673 TPM module.

The first patch updates `tpm2-tss` to version 4.1.3, which resolves an issue
encountered while reading NV indices with earlier versions (i.e., v3.2.2).
Additionally, the update incorporates numerous fixes and enhancements
introduced in intermediary releases, including a patch for CVE-2024-29040.

The second patch adds support for the `tpm2-tss-engine` package at
version 1.2.0. This package provides an OpenSSL Engine implementation for TPM2
devices, ensuring compatibility with ecosystems—such as Erlang—that rely on
OpenSSL Engines due to incomplete support for OpenSSL Providers.

abelino (2):
  package/tpm2-tss: bump version to 4.1.3
  package/tpm2-tss-engine: add version 1.2.0

 .checkpackageignore                           |  1 -
 package/Config.in                             |  1 +
 ...-disabling-of-digest-sign-operations.patch | 46 +++++++++++++++++++
 package/tpm2-tss-engine/Config.in             | 12 +++++
 package/tpm2-tss-engine/tpm2-tss-engine.hash  |  3 ++
 package/tpm2-tss-engine/tpm2-tss-engine.mk    | 19 ++++++++
 ...01-Temporary-fix-for-build-without-C.patch | 44 ------------------
 package/tpm2-tss/Config.in                    |  2 +
 package/tpm2-tss/tpm2-tss.hash                |  2 +-
 package/tpm2-tss/tpm2-tss.mk                  |  9 ++--
 10 files changed, 87 insertions(+), 52 deletions(-)
 create mode 100644 package/tpm2-tss-engine/0001-Allow-disabling-of-digest-sign-operations.patch
 create mode 100644 package/tpm2-tss-engine/Config.in
 create mode 100644 package/tpm2-tss-engine/tpm2-tss-engine.hash
 create mode 100644 package/tpm2-tss-engine/tpm2-tss-engine.mk
 delete mode 100644 package/tpm2-tss/0001-Temporary-fix-for-build-without-C.patch

--
2.47.0
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 1/2] package/tpm2-tss: bump version to 4.1.3

[abelino]

On v3.2.2, testing with an Infineon SLB9673 resulted in the following
error when attempting to read from a previously written NV index.
Upgrading to the latest release, v4.1.3, resolves the issue:

```shell
~# tpm2_nvread 0x1900001
WARN: Reading full size of the NV index
ERROR:esys:../tpm2-tss-3.2.2/src/tss2-esys/esys_iutil.c:1096:esys_GetResourceObject() Error: Esys handle does not exist (70018).
ERROR: Esys_SequenceComplete(0x70018) - esapi:The ESYS_TR resource object is bad
ERROR: Failed to get shandle
ERROR: Failed to read NVRAM area at index 0x1900001
ERROR: Unable to run tpm2_nvread
```

Between v3.2.2 and v4.1.3, the most notable update is v4.1.0 [1], which
includes a fix for CVE-2024-29040, along with 40+ bug fixes and 10+ new
features. Bumping to v4.1.3 adds access to these improvements and
addresses the NV index read issue.

[1] https://github.com/tpm2-software/tpm2-tss/releases/tag/4.1.0

Signed-off-by: abelino <abelino.romo@gmail.com>
---
 .checkpackageignore                           |  1 -
 ...01-Temporary-fix-for-build-without-C.patch | 44 -------------------
 package/tpm2-tss/Config.in                    |  2 +
 package/tpm2-tss/tpm2-tss.hash                |  2 +-
 package/tpm2-tss/tpm2-tss.mk                  |  9 ++--
 5 files changed, 6 insertions(+), 52 deletions(-)
 delete mode 100644 package/tpm2-tss/0001-Temporary-fix-for-build-without-C.patch

diff --git a/.checkpackageignore b/.checkpackageignore
index b793026881..906a733b7b 100644
--- a/.checkpackageignore
+++ b/.checkpackageignore
@@ -1237,7 +1237,6 @@ package/tinycompress/0001-wave-add-time.h-missing-header-inclusion.patch lib_pat
 package/tinydtls/0001-sha2-sha2.c-fix-build-on-big-endian.patch lib_patch.Upstream
 package/tinyxml/0001-In-stamp-always-advance-the-pointer-if-p-0xef.patch lib_patch.Upstream
 package/tpm2-abrmd/S80tpm2-abrmd Shellcheck lib_sysv.Indent lib_sysv.Variables
-package/tpm2-tss/0001-Temporary-fix-for-build-without-C.patch lib_patch.Upstream
 package/transmission/S92transmission Shellcheck lib_sysv.ConsecutiveEmptyLines lib_sysv.Indent lib_sysv.Variables
 package/triggerhappy/S10triggerhappy Shellcheck lib_sysv.Indent lib_sysv.Variables
 package/trinity/0001-Fix-build-with-GCC-10.patch lib_patch.Upstream
diff --git a/package/tpm2-tss/0001-Temporary-fix-for-build-without-C.patch b/package/tpm2-tss/0001-Temporary-fix-for-build-without-C.patch
deleted file mode 100644
index 812c753ffb..0000000000
--- a/package/tpm2-tss/0001-Temporary-fix-for-build-without-C.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 7dc753ad27a8cd14c9b00be94ca89b847cf05ce9 Mon Sep 17 00:00:00 2001
-From: Carlos Santos <unixmania@gmail.com>
-Date: Mon, 23 Dec 2019 08:02:19 -0300
-Subject: [PATCH] Temporary fix for build without C++
-
-C++ is required only for the fuzzing tests but AC_PROG_CXX is included
-by configure.ac even when fuzzing is not enabled (which we don't do on
-Buildroot).
-
-The patch applied upstream had issues and was reverted[1]. Use a local
-patch to solve the problem temporaryly.
-
-Fixes:
-    http://autobuild.buildroot.net/results/13f5e37b47b255da4158bec34e5459136f7e60d4
-    http://autobuild.buildroot.net/results/1c26db2509c79e00c0de1165945277eaa57b149f
-    http://autobuild.buildroot.net/results/b7b6b7b7aca79e847b442cbd2305427d91fe5d70
-    http://autobuild.buildroot.net/results/1cd5a82a0e799aa5027e2e2c03b246332cc3a15d
-    http://autobuild.buildroot.net/results/d7ec878907f714377c83e9a496e97cbf9382d787
-    http://autobuild.buildroot.net/results/1c7f0c1b3ce4871cd87bd6059b1f0a6dc4e74a9c
-    http://autobuild.buildroot.net/results/196b81d580325607c8da90beeb79e1f6b8ab8b47
-    http://autobuild.buildroot.net/results/f90f7b4ac710b56686635f8ae27059c11b963e47
-
-1. https://github.com/tpm2-software/tpm2-tss/commit/60c26e4c4faba6ba12469485653e17092b510840
-
-Signed-off-by: Carlos Santos <unixmania@gmail.com>
----
- configure.ac | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/configure.ac b/configure.ac
-index ff59dd7c..3e4028fb 100755
---- a/configure.ac
-+++ b/configure.ac
-@@ -26,7 +26,6 @@ AX_IS_RELEASE(dash-version)
- AX_CHECK_ENABLE_DEBUG([info])
- 
- AC_PROG_CC
--AC_PROG_CXX
- AC_PROG_LN_S
- AC_USE_SYSTEM_EXTENSIONS
- LT_INIT()
--- 
-2.26.2
-
diff --git a/package/tpm2-tss/Config.in b/package/tpm2-tss/Config.in
index 857987ae36..d87c1e0d8d 100644
--- a/package/tpm2-tss/Config.in
+++ b/package/tpm2-tss/Config.in
@@ -39,6 +39,8 @@ config BR2_PACKAGE_TPM2_TSS_FAPI
 	depends on BR2_TOOLCHAIN_HAS_SYNC_4 # json-c
 	select BR2_PACKAGE_JSON_C
 	select BR2_PACKAGE_LIBCURL
+	select BR2_PACKAGE_UTIL_LINUX
+	select BR2_PACKAGE_UTIL_LINUX_LIBUUID
 	help
 	  This option allows to enable Feature API (FAPI).  Feature
 	  API (FAPI) as described in the "TSS 2.0 Feature API
diff --git a/package/tpm2-tss/tpm2-tss.hash b/package/tpm2-tss/tpm2-tss.hash
index c9fa4e6ae0..891c1285b0 100644
--- a/package/tpm2-tss/tpm2-tss.hash
+++ b/package/tpm2-tss/tpm2-tss.hash
@@ -1,3 +1,3 @@
 # Locally computed:
-sha256  ba9e52117f254f357ff502e7d60fce652b3bfb26327d236bbf5ab634235e40f1  tpm2-tss-3.2.2.tar.gz
+sha256  37f1580200ab78305d1fc872d89241aaee0c93cbe85bc559bf332737a60d3be8  tpm2-tss-4.1.3.tar.gz
 sha256  18c1bf4b1ba1fb2c4ffa7398c234d83c0d55475298e470ae1e5e3a8a8bd2e448  LICENSE
diff --git a/package/tpm2-tss/tpm2-tss.mk b/package/tpm2-tss/tpm2-tss.mk
index b76d16e71e..c8a7df7724 100644
--- a/package/tpm2-tss/tpm2-tss.mk
+++ b/package/tpm2-tss/tpm2-tss.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-TPM2_TSS_VERSION = 3.2.2
+TPM2_TSS_VERSION = 4.1.3
 TPM2_TSS_SITE = https://github.com/tpm2-software/tpm2-tss/releases/download/$(TPM2_TSS_VERSION)
 TPM2_TSS_LICENSE = BSD-2-Clause
 TPM2_TSS_LICENSE_FILES = LICENSE
@@ -13,9 +13,6 @@ TPM2_TSS_CPE_ID_PRODUCT = tpm2_software_stack
 TPM2_TSS_INSTALL_STAGING = YES
 TPM2_TSS_DEPENDENCIES = openssl host-pkgconf
 
-# 0001-configure-Only-use-CXX-when-fuzzing.patch
-TPM2_TSS_AUTORECONF = YES
-
 # systemd-sysusers and systemd-tmpfiles are only used at install time
 # to trigger the creation of users adn tmpfiles, which we do not care
 # about at build time. groupadd, useradd, and setfacl are used in the
@@ -36,10 +33,10 @@ TPM2_TSS_CONF_OPTS = \
 TPM2_TSS_CONF_ENV += CFLAGS="$(TARGET_CFLAGS) -std=c99"
 
 ifeq ($(BR2_PACKAGE_TPM2_TSS_FAPI),y)
-TPM2_TSS_DEPENDENCIES += json-c libcurl
+TPM2_TSS_DEPENDENCIES += json-c libcurl util-linux
 TPM2_TSS_CONF_OPTS += --enable-fapi
 else
-TPM2_TSS_CONF_OPTS += --disable-fapi
+TPM2_TSS_CONF_OPTS += --disable-fapi --disable-policy
 endif
 
 define TPM2_TSS_USERS
-- 
2.47.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 2/2] package/tpm2-tss-engine: add version 1.2.0

[abelino]

Introduce the TPM2-TSS OpenSSL Engine to enable TPM2 device support in
ecosystems that do not yet support OpenSSL Providers. This is
particularly useful in the Erlang space, where OpenSSL 3 Providers are
still under development [1].

[1] https://erlangforums.com/t/openssl-3-support-for-provider-deprecated-engine-replacement/2954/2

Signed-off-by: abelino <abelino.romo@gmail.com>
---
 package/Config.in                             |  1 +
 ...-disabling-of-digest-sign-operations.patch | 46 +++++++++++++++++++
 package/tpm2-tss-engine/Config.in             | 12 +++++
 package/tpm2-tss-engine/tpm2-tss-engine.hash  |  3 ++
 package/tpm2-tss-engine/tpm2-tss-engine.mk    | 19 ++++++++
 5 files changed, 81 insertions(+)
 create mode 100644 package/tpm2-tss-engine/0001-Allow-disabling-of-digest-sign-operations.patch
 create mode 100644 package/tpm2-tss-engine/Config.in
 create mode 100644 package/tpm2-tss-engine/tpm2-tss-engine.hash
 create mode 100644 package/tpm2-tss-engine/tpm2-tss-engine.mk

diff --git a/package/Config.in b/package/Config.in
index 1eb5e1e020..4f4b7a34d5 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -1633,6 +1633,7 @@ menu "Crypto"
 	source "package/tpm2-openssl/Config.in"
 	source "package/tpm2-pkcs11/Config.in"
 	source "package/tpm2-tss/Config.in"
+	source "package/tpm2-tss-engine/Config.in"
 	source "package/trousers/Config.in"
 	source "package/ustream-ssl/Config.in"
 	source "package/wolfssl/Config.in"
diff --git a/package/tpm2-tss-engine/0001-Allow-disabling-of-digest-sign-operations.patch b/package/tpm2-tss-engine/0001-Allow-disabling-of-digest-sign-operations.patch
new file mode 100644
index 0000000000..7ce717df4a
--- /dev/null
+++ b/package/tpm2-tss-engine/0001-Allow-disabling-of-digest-sign-operations.patch
@@ -0,0 +1,46 @@
+From af8b26e7ffe69837197fb841e9a31230ae01c9cc Mon Sep 17 00:00:00 2001
+From: Andreas Fuchs <andreas.fuchs@infineon.com>
+Date: Mon, 22 May 2023 14:06:41 +0200
+Subject: [PATCH] Configure: Allow disabling of digest-sign operations
+
+Since the digest-sign operations perform the hash on the TPM and
+TPMs in general do not support SHA512, this can lead to errors.
+Depending on the use case, it might be preferable to not support
+restricted keys (via digest+sign) but to rely on ordinary keys
+only.
+
+Upstream: https://github.com/tpm2-software/tpm2-tss-engine/commit/af8b26e7ffe69837197fb841e9a31230ae01c9cc
+Signed-off-by: Andreas Fuchs <andreas.fuchs@infineon.com>
+---
+ configure.ac | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index d4a9356..b379042 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -116,13 +116,19 @@ PKG_CHECK_MODULES([CRYPTO], [libcrypto >= 1.0.2g],
+ PKG_CHECK_MODULES([TSS2_ESYS], [tss2-esys >= 2.3])
+ PKG_CHECK_MODULES([TSS2_MU], [tss2-mu])
+ PKG_CHECK_MODULES([TSS2_TCTILDR], [tss2-tctildr])
++
+ AC_CHECK_LIB([crypto], EC_KEY_METHOD_set_compute_key,
+       [AM_CONDITIONAL([HAVE_OPENSSL_ECDH], true)],
+       [AM_CONDITIONAL([HAVE_OPENSSL_ECDH], false)])
++
++AC_ARG_ENABLE([digestsign],
++              [AS_HELP_STRING([--disable-digestsign],
++                              [Disable support for digest and sign methods, helps with TPM unsupported hash algorithms.])],,
++              [enable_digestsign=yes])
+ AC_CHECK_LIB([crypto], EVP_PKEY_meth_set_digest_custom,
+-      [AM_CONDITIONAL([HAVE_OPENSSL_DIGEST_SIGN], true)],
++      [AM_CONDITIONAL([HAVE_OPENSSL_DIGEST_SIGN], [test "x$enable_digestsign" != "xno"])],
+       [AM_CONDITIONAL([HAVE_OPENSSL_DIGEST_SIGN], false)])
+-AS_IF([test "x$ac_cv_lib_crypto_EVP_PKEY_meth_set_digest_custom" = xyes],
++AS_IF([test "x$ac_cv_lib_crypto_EVP_PKEY_meth_set_digest_custom" = xyes && test "x$enable_digestsign" = "xyes"],
+       [AC_DEFINE([HAVE_OPENSSL_DIGEST_SIGN], [1],
+                  Have required functionality from OpenSSL to support digest and sign)])
+ 
+-- 
+2.47.0
+
diff --git a/package/tpm2-tss-engine/Config.in b/package/tpm2-tss-engine/Config.in
new file mode 100644
index 0000000000..27d925a60f
--- /dev/null
+++ b/package/tpm2-tss-engine/Config.in
@@ -0,0 +1,12 @@
+config BR2_PACKAGE_TPM2_TSS_ENGINE
+	bool "tpm2-tss-engine"
+	select BR2_PACKAGE_TPM2_TSS
+	select BR2_PACKAGE_LIBOPENSSL_ENGINES
+	help
+	  The tpm2-tss-engine project implements a cryptographic engine
+	  for OpenSSL for Trusted Platform Module (TPM 2.0) using the
+	  tpm2-tss software stack that follows the Trusted Computing
+	  Groups (TCG) TPM Software Stack (TSS 2.0). It uses the
+	  Enhanced System API (ESAPI) interface of the TSS 2.0 for
+	  downwards communication. It supports RSA decryption and
+	  signatures as well as ECDSA signatures.
diff --git a/package/tpm2-tss-engine/tpm2-tss-engine.hash b/package/tpm2-tss-engine/tpm2-tss-engine.hash
new file mode 100644
index 0000000000..294847d5f8
--- /dev/null
+++ b/package/tpm2-tss-engine/tpm2-tss-engine.hash
@@ -0,0 +1,3 @@
+# Locally computed:
+sha256  3c94fef110dd3630b3c28c5875febba76b7d5ba2fcc04a14c4a30f5d2157c265  tpm2-tss-engine-1.2.0.tar.gz
+sha256  7a77915f34caf18d47bc31750dae47dbd7f7895e95bbb8370f477c25009388f6  LICENSE
diff --git a/package/tpm2-tss-engine/tpm2-tss-engine.mk b/package/tpm2-tss-engine/tpm2-tss-engine.mk
new file mode 100644
index 0000000000..768f9ee3bd
--- /dev/null
+++ b/package/tpm2-tss-engine/tpm2-tss-engine.mk
@@ -0,0 +1,19 @@
+################################################################################
+#
+# tpm2-tss-engine
+#
+################################################################################
+
+TPM2_TSS_ENGINE_VERSION = 1.2.0
+TPM2_TSS_ENGINE_SITE = https://github.com/tpm2-software/tpm2-tss-engine/releases/download/$(TPM2_TSS_ENGINE_VERSION)
+TPM2_TSS_ENGINE_LICENSE = BSD-3-Clause
+TPM2_TSS_ENGINE_LICENSE_FILES = LICENSE
+TPM2_TSS_ENGINE_INSTALL_STAGING = YES
+TPM2_TSS_ENGINE_DEPENDENCIES = host-pkgconf tpm2-tss
+TPM2_TSS_ENGINE_AUTORECONF = YES
+
+TPM2_TSS_ENGINE_CONF_OPTS = \
+	--disable-digestsign \
+	--with-enginesdir="/usr/lib/engines-3"
+
+$(eval $(autotools-package))
-- 
2.47.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 2/2] package/tpm2-tss-engine: add version 1.2.0

[Vincent Jardin]

Hi,

thanks for this contribution. See below some comments,

On Sun, Nov 24, 2024 at 04:02:18PM UTC, abelino wrote:
> Introduce the TPM2-TSS OpenSSL Engine to enable TPM2 device support in
> ecosystems that do not yet support OpenSSL Providers. This is
> particularly useful in the Erlang space, where OpenSSL 3 Providers are
> still under development [1].

Does it imply that we should having sur warning ?

src/tpm2-tss-engine-rand.c: In function ‘init_rand’:
src/tpm2-tss-engine-rand.c:150:5: warning: ‘ENGINE_set_RAND’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
  150 |     return ENGINE_set_RAND(e, &rand_methods);
      |     ^~~~~~

> 
> [1] https://erlangforums.com/t/openssl-3-support-for-provider-deprecated-engine-replacement/2954/2
> 
> Signed-off-by: abelino <abelino.romo@gmail.com>
> ---
>  package/Config.in                             |  1 +
>  ...-disabling-of-digest-sign-operations.patch | 46 +++++++++++++++++++
>  package/tpm2-tss-engine/Config.in             | 12 +++++
>  package/tpm2-tss-engine/tpm2-tss-engine.hash  |  3 ++
>  package/tpm2-tss-engine/tpm2-tss-engine.mk    | 19 ++++++++
>  5 files changed, 81 insertions(+)
>  create mode 100644 package/tpm2-tss-engine/0001-Allow-disabling-of-digest-sign-operations.patch
>  create mode 100644 package/tpm2-tss-engine/Config.in
>  create mode 100644 package/tpm2-tss-engine/tpm2-tss-engine.hash
>  create mode 100644 package/tpm2-tss-engine/tpm2-tss-engine.mk
> 
> diff --git a/package/Config.in b/package/Config.in
> index 1eb5e1e020..4f4b7a34d5 100644
> --- a/package/Config.in
> +++ b/package/Config.in
> @@ -1633,6 +1633,7 @@ menu "Crypto"
>  	source "package/tpm2-openssl/Config.in"
>  	source "package/tpm2-pkcs11/Config.in"
>  	source "package/tpm2-tss/Config.in"
> +	source "package/tpm2-tss-engine/Config.in"
>  	source "package/trousers/Config.in"
>  	source "package/ustream-ssl/Config.in"
>  	source "package/wolfssl/Config.in"
> diff --git a/package/tpm2-tss-engine/0001-Allow-disabling-of-digest-sign-operations.patch b/package/tpm2-tss-engine/0001-Allow-disabling-of-digest-sign-operations.patch
> new file mode 100644
> index 0000000000..7ce717df4a
> --- /dev/null
> +++ b/package/tpm2-tss-engine/0001-Allow-disabling-of-digest-sign-operations.patch
> @@ -0,0 +1,46 @@
> +From af8b26e7ffe69837197fb841e9a31230ae01c9cc Mon Sep 17 00:00:00 2001
> +From: Andreas Fuchs <andreas.fuchs@infineon.com>
> +Date: Mon, 22 May 2023 14:06:41 +0200
> +Subject: [PATCH] Configure: Allow disabling of digest-sign operations
> +
> +Since the digest-sign operations perform the hash on the TPM and
> +TPMs in general do not support SHA512, this can lead to errors.
> +Depending on the use case, it might be preferable to not support
> +restricted keys (via digest+sign) but to rely on ordinary keys
> +only.
> +
> +Upstream: https://github.com/tpm2-software/tpm2-tss-engine/commit/af8b26e7ffe69837197fb841e9a31230ae01c9cc
> +Signed-off-by: Andreas Fuchs <andreas.fuchs@infineon.com>

When will a tpm2-tss-engine release update be available to avoid this
patch ? Did you suggest/ask for a new release to the tpm2-tss-engine
community using a github issue ?

> +---
> + configure.ac | 10 ++++++++--
> + 1 file changed, 8 insertions(+), 2 deletions(-)
> +
> +diff --git a/configure.ac b/configure.ac
> +index d4a9356..b379042 100644
> +--- a/configure.ac
> ++++ b/configure.ac
> +@@ -116,13 +116,19 @@ PKG_CHECK_MODULES([CRYPTO], [libcrypto >= 1.0.2g],
> + PKG_CHECK_MODULES([TSS2_ESYS], [tss2-esys >= 2.3])
> + PKG_CHECK_MODULES([TSS2_MU], [tss2-mu])
> + PKG_CHECK_MODULES([TSS2_TCTILDR], [tss2-tctildr])
> ++
> + AC_CHECK_LIB([crypto], EC_KEY_METHOD_set_compute_key,
> +       [AM_CONDITIONAL([HAVE_OPENSSL_ECDH], true)],
> +       [AM_CONDITIONAL([HAVE_OPENSSL_ECDH], false)])
> ++
> ++AC_ARG_ENABLE([digestsign],
> ++              [AS_HELP_STRING([--disable-digestsign],
> ++                              [Disable support for digest and sign methods, helps with TPM unsupported hash algorithms.])],,
> ++              [enable_digestsign=yes])
> + AC_CHECK_LIB([crypto], EVP_PKEY_meth_set_digest_custom,
> +-      [AM_CONDITIONAL([HAVE_OPENSSL_DIGEST_SIGN], true)],
> ++      [AM_CONDITIONAL([HAVE_OPENSSL_DIGEST_SIGN], [test "x$enable_digestsign" != "xno"])],
> +       [AM_CONDITIONAL([HAVE_OPENSSL_DIGEST_SIGN], false)])
> +-AS_IF([test "x$ac_cv_lib_crypto_EVP_PKEY_meth_set_digest_custom" = xyes],
> ++AS_IF([test "x$ac_cv_lib_crypto_EVP_PKEY_meth_set_digest_custom" = xyes && test "x$enable_digestsign" = "xyes"],
> +       [AC_DEFINE([HAVE_OPENSSL_DIGEST_SIGN], [1],
> +                  Have required functionality from OpenSSL to support digest and sign)])
> + 
> +-- 
> +2.47.0
> +
> diff --git a/package/tpm2-tss-engine/Config.in b/package/tpm2-tss-engine/Config.in
> new file mode 100644
> index 0000000000..27d925a60f
> --- /dev/null
> +++ b/package/tpm2-tss-engine/Config.in
> @@ -0,0 +1,12 @@
> +config BR2_PACKAGE_TPM2_TSS_ENGINE
> +	bool "tpm2-tss-engine"
> +	select BR2_PACKAGE_TPM2_TSS
> +	select BR2_PACKAGE_LIBOPENSSL_ENGINES
> +	help
> +	  The tpm2-tss-engine project implements a cryptographic engine
> +	  for OpenSSL for Trusted Platform Module (TPM 2.0) using the
> +	  tpm2-tss software stack that follows the Trusted Computing
> +	  Groups (TCG) TPM Software Stack (TSS 2.0). It uses the
> +	  Enhanced System API (ESAPI) interface of the TSS 2.0 for
> +	  downwards communication. It supports RSA decryption and
> +	  signatures as well as ECDSA signatures.
> diff --git a/package/tpm2-tss-engine/tpm2-tss-engine.hash b/package/tpm2-tss-engine/tpm2-tss-engine.hash
> new file mode 100644
> index 0000000000..294847d5f8
> --- /dev/null
> +++ b/package/tpm2-tss-engine/tpm2-tss-engine.hash
> @@ -0,0 +1,3 @@
> +# Locally computed:
> +sha256  3c94fef110dd3630b3c28c5875febba76b7d5ba2fcc04a14c4a30f5d2157c265  tpm2-tss-engine-1.2.0.tar.gz
> +sha256  7a77915f34caf18d47bc31750dae47dbd7f7895e95bbb8370f477c25009388f6  LICENSE
> diff --git a/package/tpm2-tss-engine/tpm2-tss-engine.mk b/package/tpm2-tss-engine/tpm2-tss-engine.mk
> new file mode 100644
> index 0000000000..768f9ee3bd
> --- /dev/null
> +++ b/package/tpm2-tss-engine/tpm2-tss-engine.mk
> @@ -0,0 +1,19 @@
> +################################################################################
> +#
> +# tpm2-tss-engine
> +#
> +################################################################################
> +
> +TPM2_TSS_ENGINE_VERSION = 1.2.0
> +TPM2_TSS_ENGINE_SITE = https://github.com/tpm2-software/tpm2-tss-engine/releases/download/$(TPM2_TSS_ENGINE_VERSION)

You should rather use:
TPM2_TSS_ENGINE_SITE = $(call github,tpm2-software,tpm2-tss-engine,$(TPM2_TSS_ENGINE_VERSION))

I did try it, you'll need to update the hash/signature file too.

> +TPM2_TSS_ENGINE_LICENSE = BSD-3-Clause
> +TPM2_TSS_ENGINE_LICENSE_FILES = LICENSE
> +TPM2_TSS_ENGINE_INSTALL_STAGING = YES
> +TPM2_TSS_ENGINE_DEPENDENCIES = host-pkgconf tpm2-tss
> +TPM2_TSS_ENGINE_AUTORECONF = YES
> +
> +TPM2_TSS_ENGINE_CONF_OPTS = \
> +	--disable-digestsign \

The --disable-digestsign can make sense, but it should be a Config.in
flag.

> +	--with-enginesdir="/usr/lib/engines-3"

Could you align it with the libp11 enginesdir too ?

They are using:
# pkg-config returns a libcrypto enginesdir prefixed with the sysroot,
# so let's rip it out.
LIBP11_CONF_OPTS = \
        --with-enginesdir=`$(PKG_CONFIG_HOST_BINARY) --variable enginesdir libcrypto | xargs readlink -f | sed 's%^$(STAGING_DIR)%%'`

best regards,
  Vincent

> +
> +$(eval $(autotools-package))
> -- 
> 2.47.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/2] package/tpm2-tss: bump version to 4.1.3

[Vincent Jardin]

Hi,

see below,

On Sun, Nov 24, 2024 at 04:02:17PM UTC, abelino wrote:
> On v3.2.2, testing with an Infineon SLB9673 resulted in the following
> error when attempting to read from a previously written NV index.
> Upgrading to the latest release, v4.1.3, resolves the issue:
> 
> ```shell
> ~# tpm2_nvread 0x1900001
> WARN: Reading full size of the NV index
> ERROR:esys:../tpm2-tss-3.2.2/src/tss2-esys/esys_iutil.c:1096:esys_GetResourceObject() Error: Esys handle does not exist (70018).
> ERROR: Esys_SequenceComplete(0x70018) - esapi:The ESYS_TR resource object is bad
> ERROR: Failed to get shandle
> ERROR: Failed to read NVRAM area at index 0x1900001
> ERROR: Unable to run tpm2_nvread
> ```
> 
> Between v3.2.2 and v4.1.3, the most notable update is v4.1.0 [1], which
> includes a fix for CVE-2024-29040, along with 40+ bug fixes and 10+ new
> features. Bumping to v4.1.3 adds access to these improvements and
> addresses the NV index read issue.
> 
> [1] https://github.com/tpm2-software/tpm2-tss/releases/tag/4.1.0
> 
> Signed-off-by: abelino <abelino.romo@gmail.com>
> ---
>  .checkpackageignore                           |  1 -
>  ...01-Temporary-fix-for-build-without-C.patch | 44 -------------------
>  package/tpm2-tss/Config.in                    |  2 +
>  package/tpm2-tss/tpm2-tss.hash                |  2 +-
>  package/tpm2-tss/tpm2-tss.mk                  |  9 ++--
>  5 files changed, 6 insertions(+), 52 deletions(-)
>  delete mode 100644 package/tpm2-tss/0001-Temporary-fix-for-build-without-C.patch
> 
> diff --git a/.checkpackageignore b/.checkpackageignore
> index b793026881..906a733b7b 100644
> --- a/.checkpackageignore
> +++ b/.checkpackageignore
> @@ -1237,7 +1237,6 @@ package/tinycompress/0001-wave-add-time.h-missing-header-inclusion.patch lib_pat
>  package/tinydtls/0001-sha2-sha2.c-fix-build-on-big-endian.patch lib_patch.Upstream
>  package/tinyxml/0001-In-stamp-always-advance-the-pointer-if-p-0xef.patch lib_patch.Upstream
>  package/tpm2-abrmd/S80tpm2-abrmd Shellcheck lib_sysv.Indent lib_sysv.Variables
> -package/tpm2-tss/0001-Temporary-fix-for-build-without-C.patch lib_patch.Upstream
>  package/transmission/S92transmission Shellcheck lib_sysv.ConsecutiveEmptyLines lib_sysv.Indent lib_sysv.Variables
>  package/triggerhappy/S10triggerhappy Shellcheck lib_sysv.Indent lib_sysv.Variables
>  package/trinity/0001-Fix-build-with-GCC-10.patch lib_patch.Upstream
> diff --git a/package/tpm2-tss/0001-Temporary-fix-for-build-without-C.patch b/package/tpm2-tss/0001-Temporary-fix-for-build-without-C.patch
> deleted file mode 100644
> index 812c753ffb..0000000000
> --- a/package/tpm2-tss/0001-Temporary-fix-for-build-without-C.patch
> +++ /dev/null
> @@ -1,44 +0,0 @@
> -From 7dc753ad27a8cd14c9b00be94ca89b847cf05ce9 Mon Sep 17 00:00:00 2001
> -From: Carlos Santos <unixmania@gmail.com>
> -Date: Mon, 23 Dec 2019 08:02:19 -0300
> -Subject: [PATCH] Temporary fix for build without C++
> -
> -C++ is required only for the fuzzing tests but AC_PROG_CXX is included
> -by configure.ac even when fuzzing is not enabled (which we don't do on
> -Buildroot).
> -
> -The patch applied upstream had issues and was reverted[1]. Use a local
> -patch to solve the problem temporaryly.
> -
> -Fixes:
> -    http://autobuild.buildroot.net/results/13f5e37b47b255da4158bec34e5459136f7e60d4
> -    http://autobuild.buildroot.net/results/1c26db2509c79e00c0de1165945277eaa57b149f
> -    http://autobuild.buildroot.net/results/b7b6b7b7aca79e847b442cbd2305427d91fe5d70
> -    http://autobuild.buildroot.net/results/1cd5a82a0e799aa5027e2e2c03b246332cc3a15d
> -    http://autobuild.buildroot.net/results/d7ec878907f714377c83e9a496e97cbf9382d787
> -    http://autobuild.buildroot.net/results/1c7f0c1b3ce4871cd87bd6059b1f0a6dc4e74a9c
> -    http://autobuild.buildroot.net/results/196b81d580325607c8da90beeb79e1f6b8ab8b47
> -    http://autobuild.buildroot.net/results/f90f7b4ac710b56686635f8ae27059c11b963e47
> -
> -1. https://github.com/tpm2-software/tpm2-tss/commit/60c26e4c4faba6ba12469485653e17092b510840
> -
> -Signed-off-by: Carlos Santos <unixmania@gmail.com>
> ----
> - configure.ac | 1 -
> - 1 file changed, 1 deletion(-)
> -
> -diff --git a/configure.ac b/configure.ac
> -index ff59dd7c..3e4028fb 100755
> ---- a/configure.ac
> -+++ b/configure.ac
> -@@ -26,7 +26,6 @@ AX_IS_RELEASE(dash-version)
> - AX_CHECK_ENABLE_DEBUG([info])
> - 
> - AC_PROG_CC
> --AC_PROG_CXX
> - AC_PROG_LN_S
> - AC_USE_SYSTEM_EXTENSIONS
> - LT_INIT()
> --- 
> -2.26.2
> -
> diff --git a/package/tpm2-tss/Config.in b/package/tpm2-tss/Config.in
> index 857987ae36..d87c1e0d8d 100644
> --- a/package/tpm2-tss/Config.in
> +++ b/package/tpm2-tss/Config.in
> @@ -39,6 +39,8 @@ config BR2_PACKAGE_TPM2_TSS_FAPI
>  	depends on BR2_TOOLCHAIN_HAS_SYNC_4 # json-c
>  	select BR2_PACKAGE_JSON_C
>  	select BR2_PACKAGE_LIBCURL
> +	select BR2_PACKAGE_UTIL_LINUX
> +	select BR2_PACKAGE_UTIL_LINUX_LIBUUID
>  	help
>  	  This option allows to enable Feature API (FAPI).  Feature
>  	  API (FAPI) as described in the "TSS 2.0 Feature API
> diff --git a/package/tpm2-tss/tpm2-tss.hash b/package/tpm2-tss/tpm2-tss.hash
> index c9fa4e6ae0..891c1285b0 100644
> --- a/package/tpm2-tss/tpm2-tss.hash
> +++ b/package/tpm2-tss/tpm2-tss.hash
> @@ -1,3 +1,3 @@
>  # Locally computed:
> -sha256  ba9e52117f254f357ff502e7d60fce652b3bfb26327d236bbf5ab634235e40f1  tpm2-tss-3.2.2.tar.gz
> +sha256  37f1580200ab78305d1fc872d89241aaee0c93cbe85bc559bf332737a60d3be8  tpm2-tss-4.1.3.tar.gz
>  sha256  18c1bf4b1ba1fb2c4ffa7398c234d83c0d55475298e470ae1e5e3a8a8bd2e448  LICENSE
> diff --git a/package/tpm2-tss/tpm2-tss.mk b/package/tpm2-tss/tpm2-tss.mk
> index b76d16e71e..c8a7df7724 100644
> --- a/package/tpm2-tss/tpm2-tss.mk
> +++ b/package/tpm2-tss/tpm2-tss.mk
> @@ -4,7 +4,7 @@
>  #
>  ################################################################################
>  
> -TPM2_TSS_VERSION = 3.2.2
> +TPM2_TSS_VERSION = 4.1.3
>  TPM2_TSS_SITE = https://github.com/tpm2-software/tpm2-tss/releases/download/$(TPM2_TSS_VERSION)

You should update it using $(call github,tpm2-software,) too.

best regards,
  Vincent

>  TPM2_TSS_LICENSE = BSD-2-Clause
>  TPM2_TSS_LICENSE_FILES = LICENSE
> @@ -13,9 +13,6 @@ TPM2_TSS_CPE_ID_PRODUCT = tpm2_software_stack
>  TPM2_TSS_INSTALL_STAGING = YES
>  TPM2_TSS_DEPENDENCIES = openssl host-pkgconf
>  
> -# 0001-configure-Only-use-CXX-when-fuzzing.patch
> -TPM2_TSS_AUTORECONF = YES
> -
>  # systemd-sysusers and systemd-tmpfiles are only used at install time
>  # to trigger the creation of users adn tmpfiles, which we do not care
>  # about at build time. groupadd, useradd, and setfacl are used in the
> @@ -36,10 +33,10 @@ TPM2_TSS_CONF_OPTS = \
>  TPM2_TSS_CONF_ENV += CFLAGS="$(TARGET_CFLAGS) -std=c99"
>  
>  ifeq ($(BR2_PACKAGE_TPM2_TSS_FAPI),y)
> -TPM2_TSS_DEPENDENCIES += json-c libcurl
> +TPM2_TSS_DEPENDENCIES += json-c libcurl util-linux
>  TPM2_TSS_CONF_OPTS += --enable-fapi
>  else
> -TPM2_TSS_CONF_OPTS += --disable-fapi
> +TPM2_TSS_CONF_OPTS += --disable-fapi --disable-policy
>  endif
>  
>  define TPM2_TSS_USERS
> -- 
> 2.47.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v2 1/2] package/tpm2-tss: bump version to 4.1.3

[abelino]

On v3.2.2, testing with an Infineon SLB9673 resulted in the following
error when attempting to read from a previously written NV index.
Upgrading to the latest release, v4.1.3, resolves the issue:

```shell
~# tpm2_nvread 0x1900001
WARN: Reading full size of the NV index
ERROR:esys:../tpm2-tss-3.2.2/src/tss2-esys/esys_iutil.c:1096:esys_GetResourceObject() Error: Esys handle does not exist (70018).
ERROR: Esys_SequenceComplete(0x70018) - esapi:The ESYS_TR resource object is bad
ERROR: Failed to get shandle
ERROR: Failed to read NVRAM area at index 0x1900001
ERROR: Unable to run tpm2_nvread
```

Between v3.2.2 and v4.1.3, the most notable update is v4.1.0 [1], which
includes a fix for CVE-2024-29040, along with 40+ bug fixes and 10+ new
features. Bumping to v4.1.3 adds access to these improvements and
addresses the NV index read issue.

[1] https://github.com/tpm2-software/tpm2-tss/releases/tag/4.1.0

Signed-off-by: abelino <abelino.romo@gmail.com>
---
Changes v1 -> v2:
  - Update `TPM2_TSS_SITE` to use `$(call github,...)` but required additional
    changes to properly bootstrap `configure`. The previous URL downloaded
    the release artifact which is bootstraped ahead of time, while the tagged
    source archive does not contain a `VERSION` and `configure` file.
    (suggested by Vincent Jardin)

 .checkpackageignore                           |  2 +-
 .../0001-Prepare-bootstrap-file.patch         | 44 +++++++++++++++++++
 ...01-Temporary-fix-for-build-without-C.patch | 44 -------------------
 package/tpm2-tss/Config.in                    |  2 +
 package/tpm2-tss/tpm2-tss.hash                |  2 +-
 package/tpm2-tss/tpm2-tss.mk                  | 20 ++++++---
 6 files changed, 61 insertions(+), 53 deletions(-)
 create mode 100644 package/tpm2-tss/0001-Prepare-bootstrap-file.patch
 delete mode 100644 package/tpm2-tss/0001-Temporary-fix-for-build-without-C.patch

diff --git a/.checkpackageignore b/.checkpackageignore
index b793026881..1b9e32f4d7 100644
--- a/.checkpackageignore
+++ b/.checkpackageignore
@@ -1237,7 +1237,7 @@ package/tinycompress/0001-wave-add-time.h-missing-header-inclusion.patch lib_pat
 package/tinydtls/0001-sha2-sha2.c-fix-build-on-big-endian.patch lib_patch.Upstream
 package/tinyxml/0001-In-stamp-always-advance-the-pointer-if-p-0xef.patch lib_patch.Upstream
 package/tpm2-abrmd/S80tpm2-abrmd Shellcheck lib_sysv.Indent lib_sysv.Variables
-package/tpm2-tss/0001-Temporary-fix-for-build-without-C.patch lib_patch.Upstream
+package/tpm2-tss/0001-Prepare-bootstrap-file.patch lib_patch.Upstream
 package/transmission/S92transmission Shellcheck lib_sysv.ConsecutiveEmptyLines lib_sysv.Indent lib_sysv.Variables
 package/triggerhappy/S10triggerhappy Shellcheck lib_sysv.Indent lib_sysv.Variables
 package/trinity/0001-Fix-build-with-GCC-10.patch lib_patch.Upstream
diff --git a/package/tpm2-tss/0001-Prepare-bootstrap-file.patch b/package/tpm2-tss/0001-Prepare-bootstrap-file.patch
new file mode 100644
index 0000000000..81ee3b6266
--- /dev/null
+++ b/package/tpm2-tss/0001-Prepare-bootstrap-file.patch
@@ -0,0 +1,44 @@
+From a0a6c030edf233316b9acc56224bfc0d8f637308 Mon Sep 17 00:00:00 2001
+From: abelino <abelino.romo@gmail.com>
+Date: Tue, 26 Nov 2024 16:49:14 -0800
+Subject: [PATCH] Prepare bootstrap file
+
+The bootstrap script uses git to create a VERSION file and we do not
+have access to any git history when pulling the tarball from GitHub's
+Archive. Therefore, we move the responsibility of generating the
+VERSION file and autoreconf'ing from the bootstrap script and off to
+this package's makefile.
+
+Signed-off-by: abelino <abelino.romo@gmail.com>
+---
+ bootstrap | 10 ----------
+ 1 file changed, 10 deletions(-)
+
+diff --git a/bootstrap b/bootstrap
+index 47135577..2032dde8 100755
+--- a/bootstrap
++++ b/bootstrap
+@@ -1,8 +1,6 @@
+ #!/bin/sh
+ set -e
+ 
+-git describe --tags --always --dirty > VERSION
+-
+ # generate list of source files for use in Makefile.am
+ # if you add new source files, you must run ./bootstrap again
+ src_listvar () {
+@@ -89,11 +87,3 @@ if test "${GEN_FUZZ}0" -eq 10; then
+ else
+   touch Makefile-fuzz-generated.am
+ fi
+-
+-${AUTORECONF} --install --sym $@
+-
+-if grep "Invalid policy. Valid policies: git-directory, minor-version." configure >/dev/null; then
+-    echo "ERROR: ax_is_release.m4 is outdated. ./configure will fail."
+-    echo "Please download from http://ftpmirror.gnu.org/autoconf-archive/autoconf-archive-2019.01.06.tar.xz"
+-    exit 1
+-fi
+-- 
+2.47.0
+
diff --git a/package/tpm2-tss/0001-Temporary-fix-for-build-without-C.patch b/package/tpm2-tss/0001-Temporary-fix-for-build-without-C.patch
deleted file mode 100644
index 812c753ffb..0000000000
--- a/package/tpm2-tss/0001-Temporary-fix-for-build-without-C.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 7dc753ad27a8cd14c9b00be94ca89b847cf05ce9 Mon Sep 17 00:00:00 2001
-From: Carlos Santos <unixmania@gmail.com>
-Date: Mon, 23 Dec 2019 08:02:19 -0300
-Subject: [PATCH] Temporary fix for build without C++
-
-C++ is required only for the fuzzing tests but AC_PROG_CXX is included
-by configure.ac even when fuzzing is not enabled (which we don't do on
-Buildroot).
-
-The patch applied upstream had issues and was reverted[1]. Use a local
-patch to solve the problem temporaryly.
-
-Fixes:
-    http://autobuild.buildroot.net/results/13f5e37b47b255da4158bec34e5459136f7e60d4
-    http://autobuild.buildroot.net/results/1c26db2509c79e00c0de1165945277eaa57b149f
-    http://autobuild.buildroot.net/results/b7b6b7b7aca79e847b442cbd2305427d91fe5d70
-    http://autobuild.buildroot.net/results/1cd5a82a0e799aa5027e2e2c03b246332cc3a15d
-    http://autobuild.buildroot.net/results/d7ec878907f714377c83e9a496e97cbf9382d787
-    http://autobuild.buildroot.net/results/1c7f0c1b3ce4871cd87bd6059b1f0a6dc4e74a9c
-    http://autobuild.buildroot.net/results/196b81d580325607c8da90beeb79e1f6b8ab8b47
-    http://autobuild.buildroot.net/results/f90f7b4ac710b56686635f8ae27059c11b963e47
-
-1. https://github.com/tpm2-software/tpm2-tss/commit/60c26e4c4faba6ba12469485653e17092b510840
-
-Signed-off-by: Carlos Santos <unixmania@gmail.com>
----
- configure.ac | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/configure.ac b/configure.ac
-index ff59dd7c..3e4028fb 100755
---- a/configure.ac
-+++ b/configure.ac
-@@ -26,7 +26,6 @@ AX_IS_RELEASE(dash-version)
- AX_CHECK_ENABLE_DEBUG([info])
- 
- AC_PROG_CC
--AC_PROG_CXX
- AC_PROG_LN_S
- AC_USE_SYSTEM_EXTENSIONS
- LT_INIT()
--- 
-2.26.2
-
diff --git a/package/tpm2-tss/Config.in b/package/tpm2-tss/Config.in
index 857987ae36..d87c1e0d8d 100644
--- a/package/tpm2-tss/Config.in
+++ b/package/tpm2-tss/Config.in
@@ -39,6 +39,8 @@ config BR2_PACKAGE_TPM2_TSS_FAPI
 	depends on BR2_TOOLCHAIN_HAS_SYNC_4 # json-c
 	select BR2_PACKAGE_JSON_C
 	select BR2_PACKAGE_LIBCURL
+	select BR2_PACKAGE_UTIL_LINUX
+	select BR2_PACKAGE_UTIL_LINUX_LIBUUID
 	help
 	  This option allows to enable Feature API (FAPI).  Feature
 	  API (FAPI) as described in the "TSS 2.0 Feature API
diff --git a/package/tpm2-tss/tpm2-tss.hash b/package/tpm2-tss/tpm2-tss.hash
index c9fa4e6ae0..a7a0c5cca8 100644
--- a/package/tpm2-tss/tpm2-tss.hash
+++ b/package/tpm2-tss/tpm2-tss.hash
@@ -1,3 +1,3 @@
 # Locally computed:
-sha256  ba9e52117f254f357ff502e7d60fce652b3bfb26327d236bbf5ab634235e40f1  tpm2-tss-3.2.2.tar.gz
+sha256  8a389bda64690910e7af7deaf64703a3faed416dc538c9c3e4f893f24893524d  tpm2-tss-4.1.3.tar.gz
 sha256  18c1bf4b1ba1fb2c4ffa7398c234d83c0d55475298e470ae1e5e3a8a8bd2e448  LICENSE
diff --git a/package/tpm2-tss/tpm2-tss.mk b/package/tpm2-tss/tpm2-tss.mk
index b76d16e71e..ae77d4f313 100644
--- a/package/tpm2-tss/tpm2-tss.mk
+++ b/package/tpm2-tss/tpm2-tss.mk
@@ -4,17 +4,23 @@
 #
 ################################################################################
 
-TPM2_TSS_VERSION = 3.2.2
-TPM2_TSS_SITE = https://github.com/tpm2-software/tpm2-tss/releases/download/$(TPM2_TSS_VERSION)
+TPM2_TSS_VERSION = 4.1.3
+TPM2_TSS_SITE = $(call github,tpm2-software,tpm2-tss,$(TPM2_TSS_VERSION))
 TPM2_TSS_LICENSE = BSD-2-Clause
 TPM2_TSS_LICENSE_FILES = LICENSE
 TPM2_TSS_CPE_ID_VENDOR = tpm2_software_stack_project
 TPM2_TSS_CPE_ID_PRODUCT = tpm2_software_stack
 TPM2_TSS_INSTALL_STAGING = YES
-TPM2_TSS_DEPENDENCIES = openssl host-pkgconf
-
-# 0001-configure-Only-use-CXX-when-fuzzing.patch
+TPM2_TSS_DEPENDENCIES = openssl host-autoconf-archive host-pkgconf
 TPM2_TSS_AUTORECONF = YES
+TPM2_TSS_AUTORECONF_OPTS = --include=$(HOST_DIR)/share/autoconf-archive
+
+define TPM2_TSS_BOOTSTRAP
+	echo $(TPM2_TSS_VERSION) > $(@D)/VERSION
+	cd $(@D) && ./bootstrap
+endef
+
+TPM2_TSS_PRE_CONFIGURE_HOOKS = TPM2_TSS_BOOTSTRAP
 
 # systemd-sysusers and systemd-tmpfiles are only used at install time
 # to trigger the creation of users adn tmpfiles, which we do not care
@@ -36,10 +42,10 @@ TPM2_TSS_CONF_OPTS = \
 TPM2_TSS_CONF_ENV += CFLAGS="$(TARGET_CFLAGS) -std=c99"
 
 ifeq ($(BR2_PACKAGE_TPM2_TSS_FAPI),y)
-TPM2_TSS_DEPENDENCIES += json-c libcurl
+TPM2_TSS_DEPENDENCIES += json-c libcurl util-linux
 TPM2_TSS_CONF_OPTS += --enable-fapi
 else
-TPM2_TSS_CONF_OPTS += --disable-fapi
+TPM2_TSS_CONF_OPTS += --disable-fapi --disable-policy
 endif
 
 define TPM2_TSS_USERS
-- 
2.47.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v2 2/2] package/tpm2-tss-engine: add version 1.2.0

[abelino]

Introduce the TPM2-TSS OpenSSL Engine to enable TPM2 device support in
ecosystems that do not yet support OpenSSL Providers. This is
particularly useful in the Erlang space, where OpenSSL 3 Providers are
still under development [1].

[1] https://erlangforums.com/t/openssl-3-support-for-provider-deprecated-engine-replacement/2954/2

Signed-off-by: abelino <abelino.romo@gmail.com>
---
> When will a tpm2-tss-engine release update be available to avoid this
> patch ? Did you suggest/ask for a new release to the tpm2-tss-engine
> community using a github issue ?

I just did that today. I will check-in periodically and circle back as
soon as a new release is cut.

Changes v1 -> v2:
  - Suppress OpenSSL 3 Engine deprecated API warnings since this package
	  implements an engine and it is known these APIs are deprecated.
	  (suggested by Vincent Jardin)

  - Update `TPM2_TSS_ENGINE_SITE` to use `$(call github,...)` but required
    additional changes to properly bootstrap `configure`. The previous URL
    downloaded the release artifact which contained a `VERSION` file, while
    the tagged source archive does not contain a `VERSION` file.
    (suggested by Vincent Jardin)

  - Added `BR2_PACKAGE_TPM2_TSS_ENGINE_DIGEST_SIGN` to toggle `digestsign`
    compile time option. `digestsign` is enabled by default, hence the use
    of `ifneq`.
    (suggested by Vincent Jardin)

  - Removed hardcoded `enginesdir` in favor of value from `pkg-config`.
    I opted on using the `define` directive in hope that it is easier to
    read/digest.
    (suggested by Vincent Jardin)

 package/Config.in                             |  1 +
 ...-disabling-of-digest-sign-operations.patch | 46 +++++++++++++++++++
 package/tpm2-tss-engine/Config.in             | 21 +++++++++
 package/tpm2-tss-engine/tpm2-tss-engine.hash  |  3 ++
 package/tpm2-tss-engine/tpm2-tss-engine.mk    | 40 ++++++++++++++++
 5 files changed, 111 insertions(+)
 create mode 100644 package/tpm2-tss-engine/0001-Allow-disabling-of-digest-sign-operations.patch
 create mode 100644 package/tpm2-tss-engine/Config.in
 create mode 100644 package/tpm2-tss-engine/tpm2-tss-engine.hash
 create mode 100644 package/tpm2-tss-engine/tpm2-tss-engine.mk

diff --git a/package/Config.in b/package/Config.in
index 1eb5e1e020..4f4b7a34d5 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -1633,6 +1633,7 @@ menu "Crypto"
 	source "package/tpm2-openssl/Config.in"
 	source "package/tpm2-pkcs11/Config.in"
 	source "package/tpm2-tss/Config.in"
+	source "package/tpm2-tss-engine/Config.in"
 	source "package/trousers/Config.in"
 	source "package/ustream-ssl/Config.in"
 	source "package/wolfssl/Config.in"
diff --git a/package/tpm2-tss-engine/0001-Allow-disabling-of-digest-sign-operations.patch b/package/tpm2-tss-engine/0001-Allow-disabling-of-digest-sign-operations.patch
new file mode 100644
index 0000000000..7ce717df4a
--- /dev/null
+++ b/package/tpm2-tss-engine/0001-Allow-disabling-of-digest-sign-operations.patch
@@ -0,0 +1,46 @@
+From af8b26e7ffe69837197fb841e9a31230ae01c9cc Mon Sep 17 00:00:00 2001
+From: Andreas Fuchs <andreas.fuchs@infineon.com>
+Date: Mon, 22 May 2023 14:06:41 +0200
+Subject: [PATCH] Configure: Allow disabling of digest-sign operations
+
+Since the digest-sign operations perform the hash on the TPM and
+TPMs in general do not support SHA512, this can lead to errors.
+Depending on the use case, it might be preferable to not support
+restricted keys (via digest+sign) but to rely on ordinary keys
+only.
+
+Upstream: https://github.com/tpm2-software/tpm2-tss-engine/commit/af8b26e7ffe69837197fb841e9a31230ae01c9cc
+Signed-off-by: Andreas Fuchs <andreas.fuchs@infineon.com>
+---
+ configure.ac | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index d4a9356..b379042 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -116,13 +116,19 @@ PKG_CHECK_MODULES([CRYPTO], [libcrypto >= 1.0.2g],
+ PKG_CHECK_MODULES([TSS2_ESYS], [tss2-esys >= 2.3])
+ PKG_CHECK_MODULES([TSS2_MU], [tss2-mu])
+ PKG_CHECK_MODULES([TSS2_TCTILDR], [tss2-tctildr])
++
+ AC_CHECK_LIB([crypto], EC_KEY_METHOD_set_compute_key,
+       [AM_CONDITIONAL([HAVE_OPENSSL_ECDH], true)],
+       [AM_CONDITIONAL([HAVE_OPENSSL_ECDH], false)])
++
++AC_ARG_ENABLE([digestsign],
++              [AS_HELP_STRING([--disable-digestsign],
++                              [Disable support for digest and sign methods, helps with TPM unsupported hash algorithms.])],,
++              [enable_digestsign=yes])
+ AC_CHECK_LIB([crypto], EVP_PKEY_meth_set_digest_custom,
+-      [AM_CONDITIONAL([HAVE_OPENSSL_DIGEST_SIGN], true)],
++      [AM_CONDITIONAL([HAVE_OPENSSL_DIGEST_SIGN], [test "x$enable_digestsign" != "xno"])],
+       [AM_CONDITIONAL([HAVE_OPENSSL_DIGEST_SIGN], false)])
+-AS_IF([test "x$ac_cv_lib_crypto_EVP_PKEY_meth_set_digest_custom" = xyes],
++AS_IF([test "x$ac_cv_lib_crypto_EVP_PKEY_meth_set_digest_custom" = xyes && test "x$enable_digestsign" = "xyes"],
+       [AC_DEFINE([HAVE_OPENSSL_DIGEST_SIGN], [1],
+                  Have required functionality from OpenSSL to support digest and sign)])
+ 
+-- 
+2.47.0
+
diff --git a/package/tpm2-tss-engine/Config.in b/package/tpm2-tss-engine/Config.in
new file mode 100644
index 0000000000..00f8ac7632
--- /dev/null
+++ b/package/tpm2-tss-engine/Config.in
@@ -0,0 +1,21 @@
+config BR2_PACKAGE_TPM2_TSS_ENGINE
+	bool "tpm2-tss-engine"
+	select BR2_PACKAGE_TPM2_TSS
+	select BR2_PACKAGE_LIBOPENSSL_ENGINES
+	help
+	  The tpm2-tss-engine project implements a cryptographic engine
+	  for OpenSSL for Trusted Platform Module (TPM 2.0) using the
+	  tpm2-tss software stack that follows the Trusted Computing
+	  Groups (TCG) TPM Software Stack (TSS 2.0). It uses the
+	  Enhanced System API (ESAPI) interface of the TSS 2.0 for
+	  downwards communication. It supports RSA decryption and
+	  signatures as well as ECDSA signatures.
+
+if BR2_PACKAGE_TPM2_TSS_ENGINE
+
+config BR2_PACKAGE_TPM2_TSS_ENGINE_DIGEST_SIGN
+	bool "enable digest and sign support"
+	help
+	  Enable digest-sign hash operations on the TPM.
+
+endif
diff --git a/package/tpm2-tss-engine/tpm2-tss-engine.hash b/package/tpm2-tss-engine/tpm2-tss-engine.hash
new file mode 100644
index 0000000000..176d41390f
--- /dev/null
+++ b/package/tpm2-tss-engine/tpm2-tss-engine.hash
@@ -0,0 +1,3 @@
+# Locally computed:
+sha256  2b1b71aab191cf2a3f4c92a12a9dc7a3d362807693148802ab3335431f904eb2  tpm2-tss-engine-1.2.0.tar.gz
+sha256  7a77915f34caf18d47bc31750dae47dbd7f7895e95bbb8370f477c25009388f6  LICENSE
diff --git a/package/tpm2-tss-engine/tpm2-tss-engine.mk b/package/tpm2-tss-engine/tpm2-tss-engine.mk
new file mode 100644
index 0000000000..d6beee4bf3
--- /dev/null
+++ b/package/tpm2-tss-engine/tpm2-tss-engine.mk
@@ -0,0 +1,40 @@
+################################################################################
+#
+# tpm2-tss-engine
+#
+################################################################################
+
+TPM2_TSS_ENGINE_VERSION = 1.2.0
+TPM2_TSS_ENGINE_SITE = $(call github,tpm2-software,tpm2-tss-engine,$(TPM2_TSS_ENGINE_VERSION))
+TPM2_TSS_ENGINE_LICENSE = BSD-3-Clause
+TPM2_TSS_ENGINE_LICENSE_FILES = LICENSE
+TPM2_TSS_ENGINE_INSTALL_STAGING = YES
+TPM2_TSS_ENGINE_DEPENDENCIES = host-autoconf-archive host-pkgconf tpm2-tss
+TPM2_TSS_ENGINE_AUTORECONF = YES
+TPM2_TSS_ENGINE_AUTORECONF_OPTS = --include=$(HOST_DIR)/share/autoconf-archive
+
+define TPM2_TSS_ENGINE_BOOTSTRAP
+	echo $(TPM2_TSS_ENGINE_VERSION) > $(@D)/VERSION
+endef
+
+TPM2_TSS_ENGINE_PRE_CONFIGURE_HOOKS = TPM2_TSS_ENGINE_BOOTSTRAP
+
+# Since the OpenSSL 3.0 Engine APIs are deprecated, suppress the warnings.
+TPM2_TSS_ENGINE_CFLAGS = $(TARGET_CFLAGS) -Wno-deprecated-declarations
+TPM2_TSS_ENGINE_CONF_ENV += CFLAGS="$(TPM2_TSS_ENGINE_CFLAGS)"
+
+define TPM2_TSS_ENGINE_ENGINESDIR
+	$(PKG_CONFIG_HOST_BINARY) --variable=enginesdir libcrypto \
+		| xargs readlink -f \
+		| sed 's%^$(STAGING_DIR)%%'
+endef
+
+TPM2_TSS_ENGINE_CONF_OPTS = \
+	--disable-defaultflags \
+	--with-enginesdir=`$(TPM2_TSS_ENGINE_ENGINESDIR)`
+
+ifneq ($(BR2_PACKAGE_TPM2_TSS_ENGINE_DIGEST_SIGN),y)
+TPM2_TSS_ENGINE_CONF_OPTS += --disable-digestsign
+endif
+
+$(eval $(autotools-package))
-- 
2.47.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/2] package/tpm2-tss: bump version to 4.1.3

[Fiona Klute via buildroot]

Am 25.11.24 um 18:18 schrieb Vincent Jardin:
> Hi,
>
> see below,
>
> On Sun, Nov 24, 2024 at 04:02:17PM UTC, abelino wrote:
>> On v3.2.2, testing with an Infineon SLB9673 resulted in the following
>> error when attempting to read from a previously written NV index.
>> Upgrading to the latest release, v4.1.3, resolves the issue:
>>
>> ```shell
>> ~# tpm2_nvread 0x1900001
>> WARN: Reading full size of the NV index
>> ERROR:esys:../tpm2-tss-3.2.2/src/tss2-esys/esys_iutil.c:1096:esys_GetResourceObject() Error: Esys handle does not exist (70018).
>> ERROR: Esys_SequenceComplete(0x70018) - esapi:The ESYS_TR resource object is bad
>> ERROR: Failed to get shandle
>> ERROR: Failed to read NVRAM area at index 0x1900001
>> ERROR: Unable to run tpm2_nvread
>> ```
>>
>> Between v3.2.2 and v4.1.3, the most notable update is v4.1.0 [1], which
>> includes a fix for CVE-2024-29040, along with 40+ bug fixes and 10+ new
>> features. Bumping to v4.1.3 adds access to these improvements and
>> addresses the NV index read issue.
>>
>> [1] https://github.com/tpm2-software/tpm2-tss/releases/tag/4.1.0
>>
>> Signed-off-by: abelino <abelino.romo@gmail.com>
>> ---
>>   .checkpackageignore                           |  1 -
>>   ...01-Temporary-fix-for-build-without-C.patch | 44 -------------------
>>   package/tpm2-tss/Config.in                    |  2 +
>>   package/tpm2-tss/tpm2-tss.hash                |  2 +-
>>   package/tpm2-tss/tpm2-tss.mk                  |  9 ++--
>>   5 files changed, 6 insertions(+), 52 deletions(-)
>>   delete mode 100644 package/tpm2-tss/0001-Temporary-fix-for-build-without-C.patch
>>
>> diff --git a/.checkpackageignore b/.checkpackageignore
>> index b793026881..906a733b7b 100644
>> --- a/.checkpackageignore
>> +++ b/.checkpackageignore
>> @@ -1237,7 +1237,6 @@ package/tinycompress/0001-wave-add-time.h-missing-header-inclusion.patch lib_pat
>>   package/tinydtls/0001-sha2-sha2.c-fix-build-on-big-endian.patch lib_patch.Upstream
>>   package/tinyxml/0001-In-stamp-always-advance-the-pointer-if-p-0xef.patch lib_patch.Upstream
>>   package/tpm2-abrmd/S80tpm2-abrmd Shellcheck lib_sysv.Indent lib_sysv.Variables
>> -package/tpm2-tss/0001-Temporary-fix-for-build-without-C.patch lib_patch.Upstream
>>   package/transmission/S92transmission Shellcheck lib_sysv.ConsecutiveEmptyLines lib_sysv.Indent lib_sysv.Variables
>>   package/triggerhappy/S10triggerhappy Shellcheck lib_sysv.Indent lib_sysv.Variables
>>   package/trinity/0001-Fix-build-with-GCC-10.patch lib_patch.Upstream
>> diff --git a/package/tpm2-tss/0001-Temporary-fix-for-build-without-C.patch b/package/tpm2-tss/0001-Temporary-fix-for-build-without-C.patch
>> deleted file mode 100644
>> index 812c753ffb..0000000000
>> --- a/package/tpm2-tss/0001-Temporary-fix-for-build-without-C.patch
>> +++ /dev/null
>> @@ -1,44 +0,0 @@
>> -From 7dc753ad27a8cd14c9b00be94ca89b847cf05ce9 Mon Sep 17 00:00:00 2001
>> -From: Carlos Santos <unixmania@gmail.com>
>> -Date: Mon, 23 Dec 2019 08:02:19 -0300
>> -Subject: [PATCH] Temporary fix for build without C++
>> -
>> -C++ is required only for the fuzzing tests but AC_PROG_CXX is included
>> -by configure.ac even when fuzzing is not enabled (which we don't do on
>> -Buildroot).
>> -
>> -The patch applied upstream had issues and was reverted[1]. Use a local
>> -patch to solve the problem temporaryly.
>> -
>> -Fixes:
>> -    http://autobuild.buildroot.net/results/13f5e37b47b255da4158bec34e5459136f7e60d4
>> -    http://autobuild.buildroot.net/results/1c26db2509c79e00c0de1165945277eaa57b149f
>> -    http://autobuild.buildroot.net/results/b7b6b7b7aca79e847b442cbd2305427d91fe5d70
>> -    http://autobuild.buildroot.net/results/1cd5a82a0e799aa5027e2e2c03b246332cc3a15d
>> -    http://autobuild.buildroot.net/results/d7ec878907f714377c83e9a496e97cbf9382d787
>> -    http://autobuild.buildroot.net/results/1c7f0c1b3ce4871cd87bd6059b1f0a6dc4e74a9c
>> -    http://autobuild.buildroot.net/results/196b81d580325607c8da90beeb79e1f6b8ab8b47
>> -    http://autobuild.buildroot.net/results/f90f7b4ac710b56686635f8ae27059c11b963e47
>> -
>> -1. https://github.com/tpm2-software/tpm2-tss/commit/60c26e4c4faba6ba12469485653e17092b510840
>> -
>> -Signed-off-by: Carlos Santos <unixmania@gmail.com>
>> ----
>> - configure.ac | 1 -
>> - 1 file changed, 1 deletion(-)
>> -
>> -diff --git a/configure.ac b/configure.ac
>> -index ff59dd7c..3e4028fb 100755
>> ---- a/configure.ac
>> -+++ b/configure.ac
>> -@@ -26,7 +26,6 @@ AX_IS_RELEASE(dash-version)
>> - AX_CHECK_ENABLE_DEBUG([info])
>> -
>> - AC_PROG_CC
>> --AC_PROG_CXX
>> - AC_PROG_LN_S
>> - AC_USE_SYSTEM_EXTENSIONS
>> - LT_INIT()
>> ---
>> -2.26.2
>> -
>> diff --git a/package/tpm2-tss/Config.in b/package/tpm2-tss/Config.in
>> index 857987ae36..d87c1e0d8d 100644
>> --- a/package/tpm2-tss/Config.in
>> +++ b/package/tpm2-tss/Config.in
>> @@ -39,6 +39,8 @@ config BR2_PACKAGE_TPM2_TSS_FAPI
>>   	depends on BR2_TOOLCHAIN_HAS_SYNC_4 # json-c
>>   	select BR2_PACKAGE_JSON_C
>>   	select BR2_PACKAGE_LIBCURL
>> +	select BR2_PACKAGE_UTIL_LINUX
>> +	select BR2_PACKAGE_UTIL_LINUX_LIBUUID
>>   	help
>>   	  This option allows to enable Feature API (FAPI).  Feature
>>   	  API (FAPI) as described in the "TSS 2.0 Feature API
>> diff --git a/package/tpm2-tss/tpm2-tss.hash b/package/tpm2-tss/tpm2-tss.hash
>> index c9fa4e6ae0..891c1285b0 100644
>> --- a/package/tpm2-tss/tpm2-tss.hash
>> +++ b/package/tpm2-tss/tpm2-tss.hash
>> @@ -1,3 +1,3 @@
>>   # Locally computed:
>> -sha256  ba9e52117f254f357ff502e7d60fce652b3bfb26327d236bbf5ab634235e40f1  tpm2-tss-3.2.2.tar.gz
>> +sha256  37f1580200ab78305d1fc872d89241aaee0c93cbe85bc559bf332737a60d3be8  tpm2-tss-4.1.3.tar.gz
>>   sha256  18c1bf4b1ba1fb2c4ffa7398c234d83c0d55475298e470ae1e5e3a8a8bd2e448  LICENSE
>> diff --git a/package/tpm2-tss/tpm2-tss.mk b/package/tpm2-tss/tpm2-tss.mk
>> index b76d16e71e..c8a7df7724 100644
>> --- a/package/tpm2-tss/tpm2-tss.mk
>> +++ b/package/tpm2-tss/tpm2-tss.mk
>> @@ -4,7 +4,7 @@
>>   #
>>   ################################################################################
>>
>> -TPM2_TSS_VERSION = 3.2.2
>> +TPM2_TSS_VERSION = 4.1.3
>>   TPM2_TSS_SITE = https://github.com/tpm2-software/tpm2-tss/releases/download/$(TPM2_TSS_VERSION)
>
> You should update it using $(call github,tpm2-software,) too.

Isn't pointing _SITE at the HTTPS clone URL and using _SITE_METHOD = git
preferred nowadays, to ensure we get reproducible tarballs?

Best regards,
Fiona

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 1/2] package/tpm2-tss: bump version to 4.1.3

[Thomas Petazzoni via buildroot]

Hello,

Thanks for your patch! See some comments below.

On Tue, 26 Nov 2024 21:25:41 -0800
abelino <abelino.romo@gmail.com> wrote:

> On v3.2.2, testing with an Infineon SLB9673 resulted in the following
> error when attempting to read from a previously written NV index.
> Upgrading to the latest release, v4.1.3, resolves the issue:
> 
> ```shell
> ~# tpm2_nvread 0x1900001
> WARN: Reading full size of the NV index
> ERROR:esys:../tpm2-tss-3.2.2/src/tss2-esys/esys_iutil.c:1096:esys_GetResourceObject() Error: Esys handle does not exist (70018).
> ERROR: Esys_SequenceComplete(0x70018) - esapi:The ESYS_TR resource object is bad
> ERROR: Failed to get shandle
> ERROR: Failed to read NVRAM area at index 0x1900001
> ERROR: Unable to run tpm2_nvread
> ```
> 
> Between v3.2.2 and v4.1.3, the most notable update is v4.1.0 [1], which
> includes a fix for CVE-2024-29040, along with 40+ bug fixes and 10+ new
> features. Bumping to v4.1.3 adds access to these improvements and
> addresses the NV index read issue.
> 
> [1] https://github.com/tpm2-software/tpm2-tss/releases/tag/4.1.0
> 
> Signed-off-by: abelino <abelino.romo@gmail.com>

Could you please Signed-off-by with a real name, and proper
capitalization, i.e probably:

	Abelino Romo <abelino.romo@gmail.com>

 ?

> Changes v1 -> v2:
>   - Update `TPM2_TSS_SITE` to use `$(call github,...)` but required additional
>     changes to properly bootstrap `configure`. The previous URL downloaded
>     the release artifact which is bootstraped ahead of time, while the tagged
>     source archive does not contain a `VERSION` and `configure` file.
>     (suggested by Vincent Jardin)

In fact this suggestion from Vincent was not correct. This project
provides automatically generated tarballs *and* manually uploaded
tarballs, and the original package as well as your v1 was using the
manually uploaded tarball, which is good. We should keep doing that.


> diff --git a/package/tpm2-tss/0001-Prepare-bootstrap-file.patch b/package/tpm2-tss/0001-Prepare-bootstrap-file.patch
> new file mode 100644
> index 0000000000..81ee3b6266
> --- /dev/null
> +++ b/package/tpm2-tss/0001-Prepare-bootstrap-file.patch
> @@ -0,0 +1,44 @@
> +From a0a6c030edf233316b9acc56224bfc0d8f637308 Mon Sep 17 00:00:00 2001
> +From: abelino <abelino.romo@gmail.com>
> +Date: Tue, 26 Nov 2024 16:49:14 -0800
> +Subject: [PATCH] Prepare bootstrap file
> +
> +The bootstrap script uses git to create a VERSION file and we do not
> +have access to any git history when pulling the tarball from GitHub's
> +Archive. Therefore, we move the responsibility of generating the
> +VERSION file and autoreconf'ing from the bootstrap script and off to
> +this package's makefile.
> +
> +Signed-off-by: abelino <abelino.romo@gmail.com>

All patches should be submitted upstream (and have an Upstream: tag
pointing to the URL of the upstream submission). But I believe if you
use the release tarball this patch is no longer needed?

Best regards,

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v3 1/2] package/tpm2-tss: bump version to 4.1.3

[Abelino Romo]

On v3.2.2, testing with an Infineon SLB9673 resulted in the following
error when attempting to read from a previously written NV index.
Upgrading to the latest release, v4.1.3, resolves the issue:

```shell
~# tpm2_nvread 0x1900001
WARN: Reading full size of the NV index
ERROR:esys:../tpm2-tss-3.2.2/src/tss2-esys/esys_iutil.c:1096:esys_GetResourceObject() Error: Esys handle does not exist (70018).
ERROR: Esys_SequenceComplete(0x70018) - esapi:The ESYS_TR resource object is bad
ERROR: Failed to get shandle
ERROR: Failed to read NVRAM area at index 0x1900001
ERROR: Unable to run tpm2_nvread
```

Between v3.2.2 and v4.1.3, the most notable update is v4.1.0 [1], which
includes a fix for CVE-2024-29040, along with 40+ bug fixes and 10+ new
features. Bumping to v4.1.3 adds access to these improvements and
addresses the NV index read issue.

[1] https://github.com/tpm2-software/tpm2-tss/releases/tag/4.1.0

Signed-off-by: Abelino Romo <abelino.romo@gmail.com>
---
Changes v2 -> v3:
  - Use manually uploaded tarball - the artifact from releases/download URL -
	  and not the archive tarball.
	  (suggested by Thomas Petazzoni)

	- Updated Signed-Off formatting.
	  (suggested by Thomas Petazzoni)

 .checkpackageignore                           |  1 -
 ...01-Temporary-fix-for-build-without-C.patch | 44 -------------------
 package/tpm2-tss/Config.in                    |  2 +
 package/tpm2-tss/tpm2-tss.hash                |  2 +-
 package/tpm2-tss/tpm2-tss.mk                  |  9 ++--
 5 files changed, 6 insertions(+), 52 deletions(-)
 delete mode 100644 package/tpm2-tss/0001-Temporary-fix-for-build-without-C.patch

diff --git a/.checkpackageignore b/.checkpackageignore
index b793026881..906a733b7b 100644
--- a/.checkpackageignore
+++ b/.checkpackageignore
@@ -1237,7 +1237,6 @@ package/tinycompress/0001-wave-add-time.h-missing-header-inclusion.patch lib_pat
 package/tinydtls/0001-sha2-sha2.c-fix-build-on-big-endian.patch lib_patch.Upstream
 package/tinyxml/0001-In-stamp-always-advance-the-pointer-if-p-0xef.patch lib_patch.Upstream
 package/tpm2-abrmd/S80tpm2-abrmd Shellcheck lib_sysv.Indent lib_sysv.Variables
-package/tpm2-tss/0001-Temporary-fix-for-build-without-C.patch lib_patch.Upstream
 package/transmission/S92transmission Shellcheck lib_sysv.ConsecutiveEmptyLines lib_sysv.Indent lib_sysv.Variables
 package/triggerhappy/S10triggerhappy Shellcheck lib_sysv.Indent lib_sysv.Variables
 package/trinity/0001-Fix-build-with-GCC-10.patch lib_patch.Upstream
diff --git a/package/tpm2-tss/0001-Temporary-fix-for-build-without-C.patch b/package/tpm2-tss/0001-Temporary-fix-for-build-without-C.patch
deleted file mode 100644
index 812c753ffb..0000000000
--- a/package/tpm2-tss/0001-Temporary-fix-for-build-without-C.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 7dc753ad27a8cd14c9b00be94ca89b847cf05ce9 Mon Sep 17 00:00:00 2001
-From: Carlos Santos <unixmania@gmail.com>
-Date: Mon, 23 Dec 2019 08:02:19 -0300
-Subject: [PATCH] Temporary fix for build without C++
-
-C++ is required only for the fuzzing tests but AC_PROG_CXX is included
-by configure.ac even when fuzzing is not enabled (which we don't do on
-Buildroot).
-
-The patch applied upstream had issues and was reverted[1]. Use a local
-patch to solve the problem temporaryly.
-
-Fixes:
-    http://autobuild.buildroot.net/results/13f5e37b47b255da4158bec34e5459136f7e60d4
-    http://autobuild.buildroot.net/results/1c26db2509c79e00c0de1165945277eaa57b149f
-    http://autobuild.buildroot.net/results/b7b6b7b7aca79e847b442cbd2305427d91fe5d70
-    http://autobuild.buildroot.net/results/1cd5a82a0e799aa5027e2e2c03b246332cc3a15d
-    http://autobuild.buildroot.net/results/d7ec878907f714377c83e9a496e97cbf9382d787
-    http://autobuild.buildroot.net/results/1c7f0c1b3ce4871cd87bd6059b1f0a6dc4e74a9c
-    http://autobuild.buildroot.net/results/196b81d580325607c8da90beeb79e1f6b8ab8b47
-    http://autobuild.buildroot.net/results/f90f7b4ac710b56686635f8ae27059c11b963e47
-
-1. https://github.com/tpm2-software/tpm2-tss/commit/60c26e4c4faba6ba12469485653e17092b510840
-
-Signed-off-by: Carlos Santos <unixmania@gmail.com>
----
- configure.ac | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/configure.ac b/configure.ac
-index ff59dd7c..3e4028fb 100755
---- a/configure.ac
-+++ b/configure.ac
-@@ -26,7 +26,6 @@ AX_IS_RELEASE(dash-version)
- AX_CHECK_ENABLE_DEBUG([info])
- 
- AC_PROG_CC
--AC_PROG_CXX
- AC_PROG_LN_S
- AC_USE_SYSTEM_EXTENSIONS
- LT_INIT()
--- 
-2.26.2
-
diff --git a/package/tpm2-tss/Config.in b/package/tpm2-tss/Config.in
index 857987ae36..d87c1e0d8d 100644
--- a/package/tpm2-tss/Config.in
+++ b/package/tpm2-tss/Config.in
@@ -39,6 +39,8 @@ config BR2_PACKAGE_TPM2_TSS_FAPI
 	depends on BR2_TOOLCHAIN_HAS_SYNC_4 # json-c
 	select BR2_PACKAGE_JSON_C
 	select BR2_PACKAGE_LIBCURL
+	select BR2_PACKAGE_UTIL_LINUX
+	select BR2_PACKAGE_UTIL_LINUX_LIBUUID
 	help
 	  This option allows to enable Feature API (FAPI).  Feature
 	  API (FAPI) as described in the "TSS 2.0 Feature API
diff --git a/package/tpm2-tss/tpm2-tss.hash b/package/tpm2-tss/tpm2-tss.hash
index c9fa4e6ae0..891c1285b0 100644
--- a/package/tpm2-tss/tpm2-tss.hash
+++ b/package/tpm2-tss/tpm2-tss.hash
@@ -1,3 +1,3 @@
 # Locally computed:
-sha256  ba9e52117f254f357ff502e7d60fce652b3bfb26327d236bbf5ab634235e40f1  tpm2-tss-3.2.2.tar.gz
+sha256  37f1580200ab78305d1fc872d89241aaee0c93cbe85bc559bf332737a60d3be8  tpm2-tss-4.1.3.tar.gz
 sha256  18c1bf4b1ba1fb2c4ffa7398c234d83c0d55475298e470ae1e5e3a8a8bd2e448  LICENSE
diff --git a/package/tpm2-tss/tpm2-tss.mk b/package/tpm2-tss/tpm2-tss.mk
index b76d16e71e..c8a7df7724 100644
--- a/package/tpm2-tss/tpm2-tss.mk
+++ b/package/tpm2-tss/tpm2-tss.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-TPM2_TSS_VERSION = 3.2.2
+TPM2_TSS_VERSION = 4.1.3
 TPM2_TSS_SITE = https://github.com/tpm2-software/tpm2-tss/releases/download/$(TPM2_TSS_VERSION)
 TPM2_TSS_LICENSE = BSD-2-Clause
 TPM2_TSS_LICENSE_FILES = LICENSE
@@ -13,9 +13,6 @@ TPM2_TSS_CPE_ID_PRODUCT = tpm2_software_stack
 TPM2_TSS_INSTALL_STAGING = YES
 TPM2_TSS_DEPENDENCIES = openssl host-pkgconf
 
-# 0001-configure-Only-use-CXX-when-fuzzing.patch
-TPM2_TSS_AUTORECONF = YES
-
 # systemd-sysusers and systemd-tmpfiles are only used at install time
 # to trigger the creation of users adn tmpfiles, which we do not care
 # about at build time. groupadd, useradd, and setfacl are used in the
@@ -36,10 +33,10 @@ TPM2_TSS_CONF_OPTS = \
 TPM2_TSS_CONF_ENV += CFLAGS="$(TARGET_CFLAGS) -std=c99"
 
 ifeq ($(BR2_PACKAGE_TPM2_TSS_FAPI),y)
-TPM2_TSS_DEPENDENCIES += json-c libcurl
+TPM2_TSS_DEPENDENCIES += json-c libcurl util-linux
 TPM2_TSS_CONF_OPTS += --enable-fapi
 else
-TPM2_TSS_CONF_OPTS += --disable-fapi
+TPM2_TSS_CONF_OPTS += --disable-fapi --disable-policy
 endif
 
 define TPM2_TSS_USERS
-- 
2.47.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v3 2/2] package/tpm2-tss-engine: add version 1.2.0

[Abelino Romo]

Introduce the TPM2-TSS OpenSSL Engine to enable TPM2 device support in
ecosystems that do not yet support OpenSSL Providers. This is
particularly useful in the Erlang space, where OpenSSL 3 Providers are
still under development [1].

[1] https://erlangforums.com/t/openssl-3-support-for-provider-deprecated-engine-replacement/2954/2

Signed-off-by: Abelino Romo <abelino.romo@gmail.com>
---
Changes v2 -> v3:
  - Use manually uploaded tarball - the artifact from releases/download URL -
	  and not the archive tarball.
	  (suggested by Thomas Petazzoni in tpm2-tss patch thread)

	- Updated Signed-Off formatting.
	  (suggested by Thomas Petazzoni in tpm2-tss patch thread)

 package/Config.in                             |  1 +
 ...-disabling-of-digest-sign-operations.patch | 46 +++++++++++++++++++
 package/tpm2-tss-engine/Config.in             | 21 +++++++++
 package/tpm2-tss-engine/tpm2-tss-engine.hash  |  3 ++
 package/tpm2-tss-engine/tpm2-tss-engine.mk    | 33 +++++++++++++
 5 files changed, 104 insertions(+)
 create mode 100644 package/tpm2-tss-engine/0001-Allow-disabling-of-digest-sign-operations.patch
 create mode 100644 package/tpm2-tss-engine/Config.in
 create mode 100644 package/tpm2-tss-engine/tpm2-tss-engine.hash
 create mode 100644 package/tpm2-tss-engine/tpm2-tss-engine.mk

diff --git a/package/Config.in b/package/Config.in
index 1eb5e1e020..4f4b7a34d5 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -1633,6 +1633,7 @@ menu "Crypto"
 	source "package/tpm2-openssl/Config.in"
 	source "package/tpm2-pkcs11/Config.in"
 	source "package/tpm2-tss/Config.in"
+	source "package/tpm2-tss-engine/Config.in"
 	source "package/trousers/Config.in"
 	source "package/ustream-ssl/Config.in"
 	source "package/wolfssl/Config.in"
diff --git a/package/tpm2-tss-engine/0001-Allow-disabling-of-digest-sign-operations.patch b/package/tpm2-tss-engine/0001-Allow-disabling-of-digest-sign-operations.patch
new file mode 100644
index 0000000000..7ce717df4a
--- /dev/null
+++ b/package/tpm2-tss-engine/0001-Allow-disabling-of-digest-sign-operations.patch
@@ -0,0 +1,46 @@
+From af8b26e7ffe69837197fb841e9a31230ae01c9cc Mon Sep 17 00:00:00 2001
+From: Andreas Fuchs <andreas.fuchs@infineon.com>
+Date: Mon, 22 May 2023 14:06:41 +0200
+Subject: [PATCH] Configure: Allow disabling of digest-sign operations
+
+Since the digest-sign operations perform the hash on the TPM and
+TPMs in general do not support SHA512, this can lead to errors.
+Depending on the use case, it might be preferable to not support
+restricted keys (via digest+sign) but to rely on ordinary keys
+only.
+
+Upstream: https://github.com/tpm2-software/tpm2-tss-engine/commit/af8b26e7ffe69837197fb841e9a31230ae01c9cc
+Signed-off-by: Andreas Fuchs <andreas.fuchs@infineon.com>
+---
+ configure.ac | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index d4a9356..b379042 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -116,13 +116,19 @@ PKG_CHECK_MODULES([CRYPTO], [libcrypto >= 1.0.2g],
+ PKG_CHECK_MODULES([TSS2_ESYS], [tss2-esys >= 2.3])
+ PKG_CHECK_MODULES([TSS2_MU], [tss2-mu])
+ PKG_CHECK_MODULES([TSS2_TCTILDR], [tss2-tctildr])
++
+ AC_CHECK_LIB([crypto], EC_KEY_METHOD_set_compute_key,
+       [AM_CONDITIONAL([HAVE_OPENSSL_ECDH], true)],
+       [AM_CONDITIONAL([HAVE_OPENSSL_ECDH], false)])
++
++AC_ARG_ENABLE([digestsign],
++              [AS_HELP_STRING([--disable-digestsign],
++                              [Disable support for digest and sign methods, helps with TPM unsupported hash algorithms.])],,
++              [enable_digestsign=yes])
+ AC_CHECK_LIB([crypto], EVP_PKEY_meth_set_digest_custom,
+-      [AM_CONDITIONAL([HAVE_OPENSSL_DIGEST_SIGN], true)],
++      [AM_CONDITIONAL([HAVE_OPENSSL_DIGEST_SIGN], [test "x$enable_digestsign" != "xno"])],
+       [AM_CONDITIONAL([HAVE_OPENSSL_DIGEST_SIGN], false)])
+-AS_IF([test "x$ac_cv_lib_crypto_EVP_PKEY_meth_set_digest_custom" = xyes],
++AS_IF([test "x$ac_cv_lib_crypto_EVP_PKEY_meth_set_digest_custom" = xyes && test "x$enable_digestsign" = "xyes"],
+       [AC_DEFINE([HAVE_OPENSSL_DIGEST_SIGN], [1],
+                  Have required functionality from OpenSSL to support digest and sign)])
+ 
+-- 
+2.47.0
+
diff --git a/package/tpm2-tss-engine/Config.in b/package/tpm2-tss-engine/Config.in
new file mode 100644
index 0000000000..00f8ac7632
--- /dev/null
+++ b/package/tpm2-tss-engine/Config.in
@@ -0,0 +1,21 @@
+config BR2_PACKAGE_TPM2_TSS_ENGINE
+	bool "tpm2-tss-engine"
+	select BR2_PACKAGE_TPM2_TSS
+	select BR2_PACKAGE_LIBOPENSSL_ENGINES
+	help
+	  The tpm2-tss-engine project implements a cryptographic engine
+	  for OpenSSL for Trusted Platform Module (TPM 2.0) using the
+	  tpm2-tss software stack that follows the Trusted Computing
+	  Groups (TCG) TPM Software Stack (TSS 2.0). It uses the
+	  Enhanced System API (ESAPI) interface of the TSS 2.0 for
+	  downwards communication. It supports RSA decryption and
+	  signatures as well as ECDSA signatures.
+
+if BR2_PACKAGE_TPM2_TSS_ENGINE
+
+config BR2_PACKAGE_TPM2_TSS_ENGINE_DIGEST_SIGN
+	bool "enable digest and sign support"
+	help
+	  Enable digest-sign hash operations on the TPM.
+
+endif
diff --git a/package/tpm2-tss-engine/tpm2-tss-engine.hash b/package/tpm2-tss-engine/tpm2-tss-engine.hash
new file mode 100644
index 0000000000..294847d5f8
--- /dev/null
+++ b/package/tpm2-tss-engine/tpm2-tss-engine.hash
@@ -0,0 +1,3 @@
+# Locally computed:
+sha256  3c94fef110dd3630b3c28c5875febba76b7d5ba2fcc04a14c4a30f5d2157c265  tpm2-tss-engine-1.2.0.tar.gz
+sha256  7a77915f34caf18d47bc31750dae47dbd7f7895e95bbb8370f477c25009388f6  LICENSE
diff --git a/package/tpm2-tss-engine/tpm2-tss-engine.mk b/package/tpm2-tss-engine/tpm2-tss-engine.mk
new file mode 100644
index 0000000000..66c5584505
--- /dev/null
+++ b/package/tpm2-tss-engine/tpm2-tss-engine.mk
@@ -0,0 +1,33 @@
+################################################################################
+#
+# tpm2-tss-engine
+#
+################################################################################
+
+TPM2_TSS_ENGINE_VERSION = 1.2.0
+TPM2_TSS_ENGINE_SITE = https://github.com/tpm2-software/tpm2-tss-engine/releases/download/$(TPM2_TSS_ENGINE_VERSION)
+TPM2_TSS_ENGINE_LICENSE = BSD-3-Clause
+TPM2_TSS_ENGINE_LICENSE_FILES = LICENSE
+TPM2_TSS_ENGINE_INSTALL_STAGING = YES
+TPM2_TSS_ENGINE_DEPENDENCIES = host-pkgconf tpm2-tss
+TPM2_TSS_ENGINE_AUTORECONF = YES
+
+# Since the OpenSSL 3.0 Engine APIs are deprecated, suppress the warnings.
+TPM2_TSS_ENGINE_CFLAGS = $(TARGET_CFLAGS) -Wno-deprecated-declarations
+TPM2_TSS_ENGINE_CONF_ENV += CFLAGS="$(TPM2_TSS_ENGINE_CFLAGS)"
+
+define TPM2_TSS_ENGINE_ENGINESDIR
+	$(PKG_CONFIG_HOST_BINARY) --variable=enginesdir libcrypto \
+		| xargs readlink -f \
+		| sed 's%^$(STAGING_DIR)%%'
+endef
+
+TPM2_TSS_ENGINE_CONF_OPTS = \
+	--disable-defaultflags \
+	--with-enginesdir=`$(TPM2_TSS_ENGINE_ENGINESDIR)`
+
+ifneq ($(BR2_PACKAGE_TPM2_TSS_ENGINE_DIGEST_SIGN),y)
+TPM2_TSS_ENGINE_CONF_OPTS += --disable-digestsign
+endif
+
+$(eval $(autotools-package))
-- 
2.47.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v3 1/2] package/tpm2-tss: bump version to 4.1.3

[Fiona Klute via buildroot]

Am 29.11.24 um 23:10 schrieb Abelino Romo:
> On v3.2.2, testing with an Infineon SLB9673 resulted in the following
> error when attempting to read from a previously written NV index.
> Upgrading to the latest release, v4.1.3, resolves the issue:
> 
> ```shell
> ~# tpm2_nvread 0x1900001
> WARN: Reading full size of the NV index
> ERROR:esys:../tpm2-tss-3.2.2/src/tss2-esys/esys_iutil.c:1096:esys_GetResourceObject() Error: Esys handle does not exist (70018).
> ERROR: Esys_SequenceComplete(0x70018) - esapi:The ESYS_TR resource object is bad
> ERROR: Failed to get shandle
> ERROR: Failed to read NVRAM area at index 0x1900001
> ERROR: Unable to run tpm2_nvread
> ```
> 
> Between v3.2.2 and v4.1.3, the most notable update is v4.1.0 [1], which
> includes a fix for CVE-2024-29040, along with 40+ bug fixes and 10+ new
> features. Bumping to v4.1.3 adds access to these improvements and
> addresses the NV index read issue.
> 
> [1] https://github.com/tpm2-software/tpm2-tss/releases/tag/4.1.0
> 
> Signed-off-by: Abelino Romo <abelino.romo@gmail.com>

Tested-by: Fiona Klute (WIWA) <fiona.klute@gmx.de>

I've tested using the TPM with package/tpm2-pkcs11.

There's a trivial merge conflict with the package/tpm2-abrmd init script 
rewrite I sent earlier [1] because both patches remove adjacent lines in 
.checkpackageignore, but that should be easy to fix and more reason to 
merge. :-)

Best regards,
Fiona

[1] 
https://patchwork.ozlabs.org/project/buildroot/patch/20250707141052.280200-3-fiona.klute@gmx.de/

> ---
> Changes v2 -> v3:
>    - Use manually uploaded tarball - the artifact from releases/download URL -
> 	  and not the archive tarball.
> 	  (suggested by Thomas Petazzoni)
> 
> 	- Updated Signed-Off formatting.
> 	  (suggested by Thomas Petazzoni)
> 
>   .checkpackageignore                           |  1 -
>   ...01-Temporary-fix-for-build-without-C.patch | 44 -------------------
>   package/tpm2-tss/Config.in                    |  2 +
>   package/tpm2-tss/tpm2-tss.hash                |  2 +-
>   package/tpm2-tss/tpm2-tss.mk                  |  9 ++--
>   5 files changed, 6 insertions(+), 52 deletions(-)
>   delete mode 100644 package/tpm2-tss/0001-Temporary-fix-for-build-without-C.patch
> 
> diff --git a/.checkpackageignore b/.checkpackageignore
> index b793026881..906a733b7b 100644
> --- a/.checkpackageignore
> +++ b/.checkpackageignore
> @@ -1237,7 +1237,6 @@ package/tinycompress/0001-wave-add-time.h-missing-header-inclusion.patch lib_pat
>   package/tinydtls/0001-sha2-sha2.c-fix-build-on-big-endian.patch lib_patch.Upstream
>   package/tinyxml/0001-In-stamp-always-advance-the-pointer-if-p-0xef.patch lib_patch.Upstream
>   package/tpm2-abrmd/S80tpm2-abrmd Shellcheck lib_sysv.Indent lib_sysv.Variables
> -package/tpm2-tss/0001-Temporary-fix-for-build-without-C.patch lib_patch.Upstream
>   package/transmission/S92transmission Shellcheck lib_sysv.ConsecutiveEmptyLines lib_sysv.Indent lib_sysv.Variables
>   package/triggerhappy/S10triggerhappy Shellcheck lib_sysv.Indent lib_sysv.Variables
>   package/trinity/0001-Fix-build-with-GCC-10.patch lib_patch.Upstream
> diff --git a/package/tpm2-tss/0001-Temporary-fix-for-build-without-C.patch b/package/tpm2-tss/0001-Temporary-fix-for-build-without-C.patch
> deleted file mode 100644
> index 812c753ffb..0000000000
> --- a/package/tpm2-tss/0001-Temporary-fix-for-build-without-C.patch
> +++ /dev/null
> @@ -1,44 +0,0 @@
> -From 7dc753ad27a8cd14c9b00be94ca89b847cf05ce9 Mon Sep 17 00:00:00 2001
> -From: Carlos Santos <unixmania@gmail.com>
> -Date: Mon, 23 Dec 2019 08:02:19 -0300
> -Subject: [PATCH] Temporary fix for build without C++
> -
> -C++ is required only for the fuzzing tests but AC_PROG_CXX is included
> -by configure.ac even when fuzzing is not enabled (which we don't do on
> -Buildroot).
> -
> -The patch applied upstream had issues and was reverted[1]. Use a local
> -patch to solve the problem temporaryly.
> -
> -Fixes:
> -    http://autobuild.buildroot.net/results/13f5e37b47b255da4158bec34e5459136f7e60d4
> -    http://autobuild.buildroot.net/results/1c26db2509c79e00c0de1165945277eaa57b149f
> -    http://autobuild.buildroot.net/results/b7b6b7b7aca79e847b442cbd2305427d91fe5d70
> -    http://autobuild.buildroot.net/results/1cd5a82a0e799aa5027e2e2c03b246332cc3a15d
> -    http://autobuild.buildroot.net/results/d7ec878907f714377c83e9a496e97cbf9382d787
> -    http://autobuild.buildroot.net/results/1c7f0c1b3ce4871cd87bd6059b1f0a6dc4e74a9c
> -    http://autobuild.buildroot.net/results/196b81d580325607c8da90beeb79e1f6b8ab8b47
> -    http://autobuild.buildroot.net/results/f90f7b4ac710b56686635f8ae27059c11b963e47
> -
> -1. https://github.com/tpm2-software/tpm2-tss/commit/60c26e4c4faba6ba12469485653e17092b510840
> -
> -Signed-off-by: Carlos Santos <unixmania@gmail.com>
> ----
> - configure.ac | 1 -
> - 1 file changed, 1 deletion(-)
> -
> -diff --git a/configure.ac b/configure.ac
> -index ff59dd7c..3e4028fb 100755
> ---- a/configure.ac
> -+++ b/configure.ac
> -@@ -26,7 +26,6 @@ AX_IS_RELEASE(dash-version)
> - AX_CHECK_ENABLE_DEBUG([info])
> -
> - AC_PROG_CC
> --AC_PROG_CXX
> - AC_PROG_LN_S
> - AC_USE_SYSTEM_EXTENSIONS
> - LT_INIT()
> ---
> -2.26.2
> -
> diff --git a/package/tpm2-tss/Config.in b/package/tpm2-tss/Config.in
> index 857987ae36..d87c1e0d8d 100644
> --- a/package/tpm2-tss/Config.in
> +++ b/package/tpm2-tss/Config.in
> @@ -39,6 +39,8 @@ config BR2_PACKAGE_TPM2_TSS_FAPI
>   	depends on BR2_TOOLCHAIN_HAS_SYNC_4 # json-c
>   	select BR2_PACKAGE_JSON_C
>   	select BR2_PACKAGE_LIBCURL
> +	select BR2_PACKAGE_UTIL_LINUX
> +	select BR2_PACKAGE_UTIL_LINUX_LIBUUID
>   	help
>   	  This option allows to enable Feature API (FAPI).  Feature
>   	  API (FAPI) as described in the "TSS 2.0 Feature API
> diff --git a/package/tpm2-tss/tpm2-tss.hash b/package/tpm2-tss/tpm2-tss.hash
> index c9fa4e6ae0..891c1285b0 100644
> --- a/package/tpm2-tss/tpm2-tss.hash
> +++ b/package/tpm2-tss/tpm2-tss.hash
> @@ -1,3 +1,3 @@
>   # Locally computed:
> -sha256  ba9e52117f254f357ff502e7d60fce652b3bfb26327d236bbf5ab634235e40f1  tpm2-tss-3.2.2.tar.gz
> +sha256  37f1580200ab78305d1fc872d89241aaee0c93cbe85bc559bf332737a60d3be8  tpm2-tss-4.1.3.tar.gz
>   sha256  18c1bf4b1ba1fb2c4ffa7398c234d83c0d55475298e470ae1e5e3a8a8bd2e448  LICENSE
> diff --git a/package/tpm2-tss/tpm2-tss.mk b/package/tpm2-tss/tpm2-tss.mk
> index b76d16e71e..c8a7df7724 100644
> --- a/package/tpm2-tss/tpm2-tss.mk
> +++ b/package/tpm2-tss/tpm2-tss.mk
> @@ -4,7 +4,7 @@
>   #
>   ################################################################################
>   
> -TPM2_TSS_VERSION = 3.2.2
> +TPM2_TSS_VERSION = 4.1.3
>   TPM2_TSS_SITE = https://github.com/tpm2-software/tpm2-tss/releases/download/$(TPM2_TSS_VERSION)
>   TPM2_TSS_LICENSE = BSD-2-Clause
>   TPM2_TSS_LICENSE_FILES = LICENSE
> @@ -13,9 +13,6 @@ TPM2_TSS_CPE_ID_PRODUCT = tpm2_software_stack
>   TPM2_TSS_INSTALL_STAGING = YES
>   TPM2_TSS_DEPENDENCIES = openssl host-pkgconf
>   
> -# 0001-configure-Only-use-CXX-when-fuzzing.patch
> -TPM2_TSS_AUTORECONF = YES
> -
>   # systemd-sysusers and systemd-tmpfiles are only used at install time
>   # to trigger the creation of users adn tmpfiles, which we do not care
>   # about at build time. groupadd, useradd, and setfacl are used in the
> @@ -36,10 +33,10 @@ TPM2_TSS_CONF_OPTS = \
>   TPM2_TSS_CONF_ENV += CFLAGS="$(TARGET_CFLAGS) -std=c99"
>   
>   ifeq ($(BR2_PACKAGE_TPM2_TSS_FAPI),y)
> -TPM2_TSS_DEPENDENCIES += json-c libcurl
> +TPM2_TSS_DEPENDENCIES += json-c libcurl util-linux
>   TPM2_TSS_CONF_OPTS += --enable-fapi
>   else
> -TPM2_TSS_CONF_OPTS += --disable-fapi
> +TPM2_TSS_CONF_OPTS += --disable-fapi --disable-policy
>   endif
>   
>   define TPM2_TSS_USERS

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v3 2/2] package/tpm2-tss-engine: add version 1.2.0

[Thomas Petazzoni via buildroot]

Hello Abelino,

Sorry for the very very long delay in getting back to you. I wanted to
apply this, but unfortunately, it causes a build failure when
BR2_PACKAGE_TPM2_TSS_ENGINE_DIGEST_SIGN is enabled:

src/tpm2-tss-engine-ecc.c: In function ‘init_ecc’:
src/tpm2-tss-engine-ecc.c:864:46: error: passing argument 2 of ‘EVP_PKEY_meth_get_copy’ from incompatible pointer type [-Wincompatible-pointer-types]
  864 |     EVP_PKEY_meth_get_copy(pkey_ecc_methods, &ecdsa_pkey_orig_copy);
      |                                              ^~~~~~~~~~~~~~~~~~~~~
      |                                              |
      |                                              int (**)(EVP_PKEY_CTX *, EVP_PKEY_CTX *) {aka int (**)(struct evp_pkey_ctx_st *, struct evp_pkey_ctx_st *)}

src/tpm2-tss-engine-ecc.c:867:46: error: passing argument 2 of ‘EVP_PKEY_meth_set_copy’ from incompatible pointer type [-Wincompatible-pointer-types]
  867 |     EVP_PKEY_meth_set_copy(pkey_ecc_methods, ecdsa_pkey_copy);
      |                                              ^~~~~~~~~~~~~~~
      |                                              |
      |                                              int (*)(EVP_PKEY_CTX *, EVP_PKEY_CTX *) {aka int (*)(struct evp_pkey_ctx_st *, struct evp_pkey_ctx_st *)}

etc.

Please see some more small comments below that I had fixed locally, but
that would be needed for your v4.

First, the commit title should be just:

	package/tpm2-tss-engine: new package

On Fri, 29 Nov 2024 14:13:24 -0800
Abelino Romo <abelino.romo@gmail.com> wrote:

> Introduce the TPM2-TSS OpenSSL Engine to enable TPM2 device support in
> ecosystems that do not yet support OpenSSL Providers. This is
> particularly useful in the Erlang space, where OpenSSL 3 Providers are
> still under development [1].
> 
> [1] https://erlangforums.com/t/openssl-3-support-for-provider-deprecated-engine-replacement/2954/2
> 
> Signed-off-by: Abelino Romo <abelino.romo@gmail.com>
> ---
> Changes v2 -> v3:
>   - Use manually uploaded tarball - the artifact from releases/download URL -
> 	  and not the archive tarball.
> 	  (suggested by Thomas Petazzoni in tpm2-tss patch thread)
> 
> 	- Updated Signed-Off formatting.
> 	  (suggested by Thomas Petazzoni in tpm2-tss patch thread)
> 
>  package/Config.in                             |  1 +
>  ...-disabling-of-digest-sign-operations.patch | 46 +++++++++++++++++++
>  package/tpm2-tss-engine/Config.in             | 21 +++++++++
>  package/tpm2-tss-engine/tpm2-tss-engine.hash  |  3 ++
>  package/tpm2-tss-engine/tpm2-tss-engine.mk    | 33 +++++++++++++
>  5 files changed, 104 insertions(+)

Please add an entry in the DEVELOPERS file.


> diff --git a/package/tpm2-tss-engine/Config.in b/package/tpm2-tss-engine/Config.in
> new file mode 100644
> index 0000000000..00f8ac7632
> --- /dev/null
> +++ b/package/tpm2-tss-engine/Config.in
> @@ -0,0 +1,21 @@
> +config BR2_PACKAGE_TPM2_TSS_ENGINE
> +	bool "tpm2-tss-engine"
> +	select BR2_PACKAGE_TPM2_TSS
> +	select BR2_PACKAGE_LIBOPENSSL_ENGINES
> +	help
> +	  The tpm2-tss-engine project implements a cryptographic engine
> +	  for OpenSSL for Trusted Platform Module (TPM 2.0) using the
> +	  tpm2-tss software stack that follows the Trusted Computing
> +	  Groups (TCG) TPM Software Stack (TSS 2.0). It uses the
> +	  Enhanced System API (ESAPI) interface of the TSS 2.0 for
> +	  downwards communication. It supports RSA decryption and
> +	  signatures as well as ECDSA signatures.

Please add:

+         https://github.com/tpm2-software/tpm2-tss-engine/


> +# Since the OpenSSL 3.0 Engine APIs are deprecated, suppress the warnings.
> +TPM2_TSS_ENGINE_CFLAGS = $(TARGET_CFLAGS) -Wno-deprecated-declarations
> +TPM2_TSS_ENGINE_CONF_ENV += CFLAGS="$(TPM2_TSS_ENGINE_CFLAGS)"

Change this to:

+# Since the OpenSSL 3.0 Engine APIs are deprecated, suppress the warnings.
+TPM2_TSS_ENGINE_CONF_ENV = \
+       CFLAGS="$(TARGET_CFLAGS) -Wno-deprecated-declarations"

> +define TPM2_TSS_ENGINE_ENGINESDIR
> +	$(PKG_CONFIG_HOST_BINARY) --variable=enginesdir libcrypto \
> +		| xargs readlink -f \
> +		| sed 's%^$(STAGING_DIR)%%'
> +endef
> +
> +TPM2_TSS_ENGINE_CONF_OPTS = \
> +	--disable-defaultflags \
> +	--with-enginesdir=`$(TPM2_TSS_ENGINE_ENGINESDIR)`

This to:

+# pkg-config returns a libcrypto enginesdir prefixed with the sysroot,
+# so let's rip it out.
+TPM2_TSS_ENGINE_CONF_OPTS = \
+       --disable-defaultflags \
+       --with-enginesdir=`$(PKG_CONFIG_HOST_BINARY) --variable enginesdir libcrypto | xargs readlink -f | sed 's%^$(STAGING_DIR)%%'`

> +ifneq ($(BR2_PACKAGE_TPM2_TSS_ENGINE_DIGEST_SIGN),y)
> +TPM2_TSS_ENGINE_CONF_OPTS += --disable-digestsign
> +endif

And this to:

+ifeq ($(BR2_PACKAGE_TPM2_TSS_ENGINE_DIGEST_SIGN),y)
+TPM2_TSS_ENGINE_CONF_OPTS += --enable-digestsign
+else
+TPM2_TSS_ENGINE_CONF_OPTS += --disable-digestsign
+endif

Thanks a lot!

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v3 2/2] package/tpm2-tss-engine: add version 1.2.0

[Thomas Petazzoni via buildroot]

Hello,

On Tue, 23 Dec 2025 22:23:58 +0100
Thomas Petazzoni <thomas.petazzoni@bootlin.com> wrote:

> Sorry for the very very long delay in getting back to you. I wanted to
> apply this, but unfortunately, it causes a build failure when
> BR2_PACKAGE_TPM2_TSS_ENGINE_DIGEST_SIGN is enabled:

BTW, here is the defconfig that was used to produce this build failure:

BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_AARCH64_GLIBC_STABLE=y
BR2_INIT_NONE=y
BR2_SYSTEM_BIN_SH_NONE=y
# BR2_PACKAGE_BUSYBOX is not set
# BR2_PACKAGE_LIBOPENSSL_ENABLE_CHACHA is not set
# BR2_PACKAGE_LIBOPENSSL_ENABLE_RC2 is not set
# BR2_PACKAGE_LIBOPENSSL_ENABLE_RC4 is not set
# BR2_PACKAGE_LIBOPENSSL_ENABLE_MD2 is not set
# BR2_PACKAGE_LIBOPENSSL_ENABLE_MD4 is not set
# BR2_PACKAGE_LIBOPENSSL_ENABLE_MDC2 is not set
# BR2_PACKAGE_LIBOPENSSL_ENABLE_BLAKE2 is not set
# BR2_PACKAGE_LIBOPENSSL_ENABLE_IDEA is not set
# BR2_PACKAGE_LIBOPENSSL_ENABLE_SEED is not set
# BR2_PACKAGE_LIBOPENSSL_ENABLE_DES is not set
# BR2_PACKAGE_LIBOPENSSL_ENABLE_RMD160 is not set
# BR2_PACKAGE_LIBOPENSSL_ENABLE_WHIRLPOOL is not set
# BR2_PACKAGE_LIBOPENSSL_ENABLE_BLOWFISH is not set
# BR2_PACKAGE_LIBOPENSSL_ENABLE_SSL is not set
# BR2_PACKAGE_LIBOPENSSL_ENABLE_SSL3 is not set
# BR2_PACKAGE_LIBOPENSSL_ENABLE_WEAK_SSL is not set
# BR2_PACKAGE_LIBOPENSSL_ENABLE_PSK is not set
# BR2_PACKAGE_LIBOPENSSL_ENABLE_CAST is not set
# BR2_PACKAGE_LIBOPENSSL_UNSECURE is not set
# BR2_PACKAGE_LIBOPENSSL_DYNAMIC_ENGINE is not set
# BR2_PACKAGE_LIBOPENSSL_ENABLE_COMP is not set
# BR2_PACKAGE_LIBOPENSSL_ENABLE_ARGON2 is not set
# BR2_PACKAGE_LIBOPENSSL_ENABLE_CACHED_FETCH is not set
# BR2_PACKAGE_LIBOPENSSL_ENABLE_CMP is not set
# BR2_PACKAGE_LIBOPENSSL_ENABLE_THREAD_POOL is not set
# BR2_PACKAGE_LIBOPENSSL_ENABLE_ECX is not set
# BR2_PACKAGE_LIBOPENSSL_ENABLE_PADLOCK_ENGINE is not set
# BR2_PACKAGE_LIBOPENSSL_ENABLE_MODULE is not set
# BR2_PACKAGE_LIBOPENSSL_ENABLE_QUIC is not set
# BR2_PACKAGE_LIBOPENSSL_SECURE_MEMORY is not set
# BR2_PACKAGE_LIBOPENSSL_ENABLE_SIV is not set
# BR2_PACKAGE_LIBOPENSSL_ENABLE_SM2_PRECOMP_TABLE is not set
# BR2_PACKAGE_LIBOPENSSL_ENABLE_SSL_TRACE is not set
BR2_PACKAGE_TPM2_TSS_ENGINE=y
BR2_PACKAGE_TPM2_TSS_ENGINE_DIGEST_SIGN=y
# BR2_TARGET_ROOTFS_TAR is not set

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot