Re: [Buildroot] [PATCH 1/2] package/wolftpm: fix dependencies

From: Dimi Tomov <dimi@tpm.dev>
To: Fabrice Fontaine <fontaine.fabrice@gmail.com>,
	Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH 1/2] package/wolftpm: fix dependencies
Date: Sat, 11 Jun 2022 23:19:43 +0300	[thread overview]
Message-ID: <4b6ad1f2e42a88e1bbffefb9480ff5f2@tpm.dev> (raw)
In-Reply-To: <20220611143544.844613-1-fontaine.fabrice@gmail.com>

Hi Fabrice,

1) I advise strongly against this patch in its current form due to 
security concerns. Please find my motivation below.

2) Existing wolfTPM dependencies are propagated from the wolfssl 
package.

3) I am unable to reproduce your build error. Please provide the exact 
commands and order you are running them on a clean buildroot master.

Topic #1

In order to have Man-in-the-middle protection, wolfTPM needs a 
cryptogrpahic provider to set a secure channel of communication between 
the HOST CPU and the TPM 2.0 HSM chip. Without MITM protection, keys and 
other sensitive data can be sniffed, making it pointless to use a TPM 
2.0 security chip in the first place.

Therefore, making the default wolfTPM build work without wolfssl is a 
SECURITY RED FLAG.

Please consider adding an OPTION to build wolfTPM without wolfssl, 
however keep the default wolfTPM build require the wolfssl library.

Topic #2

The threads and dynamic library support dependencies are propagated from 
the wolfssl package and per recommendation of Thomas (adding to our 
discussion).

Both, wolfssl and wolfTPM could be build statically, however this is not 
how I found the wolfssl package working in buildroot. Therefore, I used 
the existing code base and added the wolftpm package accordingly.

Topic #3

It is a good practice when reporting an error to share how it can be 
reproduced. I am unable to reproduce your build error.

Last

I find it difficult to address multiple topics/major changes in one 
patch. I have tried to decouple the topics above and I am ready to 
discuss further. Thank you for providing this feedback. I think there 
are improvements we could make based on what is the expectation and 
buildroot maintainers' requirements.

Regards,
Dimi
-- 
Founder of TPM.dev

On 2022-06-11 05:35 PM, Fabrice Fontaine wrote:
> pkg-config is not used by wolftpm and wolfssl dependency is missing 
> (and
> optional) resulting in the following build failure since the addition 
> of
> the package in commit 4bb884a3c61c6b71e33f69453a90eb2a367f64b7:
> 
> configure: error: WolfSSL library not found. You can get it from
> http://www.wolfssl.com/download.html
>         If it's already installed, specify its path using
> --with-wolfcrypt=/dir or --prefix=/dir
> 
> Moreover, BR2_PACKAGE_WOLFSSL_ALL, threads and dynamic libray support
> are not mandatory:
> 
> ./utils/test-pkg -p wolftpm
>                     bootlin-armv5-uclibc [1/6]: OK
>                      bootlin-armv7-glibc [2/6]: OK
>                    bootlin-armv7m-uclibc [3/6]: OK
>                      bootlin-x86-64-musl [4/6]: OK
>                       br-arm-full-static [5/6]: OK
>                             sourcery-arm [6/6]: OK
> 6 builds, 0 skipped, 0 build failed, 0 legal-info failed, 0 show-info 
> failed
> 
> Fixes:
>  -
> http://autobuild.buildroot.org/results/77a93521b909e701ef4e86f18524258b9242c721
> 
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ---
>  package/wolftpm/Config.in  |  7 -------
>  package/wolftpm/wolftpm.mk | 13 ++++++++++---
>  2 files changed, 10 insertions(+), 10 deletions(-)
> 
> diff --git a/package/wolftpm/Config.in b/package/wolftpm/Config.in
> index 0fe094f277..741d92aa4e 100644
> --- a/package/wolftpm/Config.in
> +++ b/package/wolftpm/Config.in
> @@ -1,9 +1,5 @@
>  config BR2_PACKAGE_WOLFTPM
>  	bool "wolftpm"
> -	depends on BR2_TOOLCHAIN_HAS_THREADS
> -	depends on !BR2_STATIC_LIBS
> -	select BR2_PACKAGE_WOLFSSL
> -	select BR2_PACKAGE_WOLFSSL_ALL
>  	help
>  	  wolfTPM is a portable, open-source TPM 2.0 stack with
>  	  backward API compatibility, designed for embedded use.
> @@ -11,6 +7,3 @@ config BR2_PACKAGE_WOLFTPM
>  	  resource usage.
> 
>  	  https://www.wolfssl.com/
> -
> -comment "wolftpm needs a toolchain w/ threads, dynamic library"
> -	depends on !BR2_TOOLCHAIN_HAS_THREADS || BR2_STATIC_LIBS
> diff --git a/package/wolftpm/wolftpm.mk b/package/wolftpm/wolftpm.mk
> index ea01eaad6b..f0cf0df0d3 100644
> --- a/package/wolftpm/wolftpm.mk
> +++ b/package/wolftpm/wolftpm.mk
> @@ -10,7 +10,6 @@ WOLFTPM_INSTALL_STAGING = YES
>  WOLFTPM_LICENSE = GPL-2.0+
>  WOLFTPM_LICENSE_FILES = LICENSE
>  WOLFTPM_CPE_ID_VENDOR = wolfssl
> -WOLFTPM_DEPENDENCIES = host-pkgconf
>  WOLFTPM_CONFIG_SCRIPTS = wolftpm-config
> 
>  # wolfTPM's source code is released without a configure script,
> @@ -19,8 +18,7 @@ WOLFTPM_AUTORECONF = YES
> 
>  WOLFTPM_CONF_OPTS = \
>  	--disable-examples \
> -	--enable-devtpm \
> -	--with-wolfcrypt=$(STAGING_DIR)/usr
> +	--enable-devtpm
> 
>  # Fix for missing config.rpath in the codebase
>  define WOLFTPM_TOUCH_CONFIG_RPATH
> @@ -29,4 +27,13 @@ define WOLFTPM_TOUCH_CONFIG_RPATH
>  endef
>  WOLFTPM_PRE_CONFIGURE_HOOKS += WOLFTPM_TOUCH_CONFIG_RPATH
> 
> +ifeq ($(BR2_PACKAGE_WOLFSSL),y)
> +WOLFTPM_CONF_OPTS += \
> +	--enable-wolfcrypt \
> +	--with-wolfcrypt=$(STAGING_DIR)/usr
> +WOLFTPM_DEPENDENCIES += wolfssl
> +else
> +WOLFTPM_CONF_OPTS += --disable-wolfcrypt
> +endif
> +
>  $(eval $(autotools-package))
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot