diff options
Diffstat (limited to 'meta-security/meta-tpm/recipes-tpm')
33 files changed, 2191 insertions, 0 deletions
diff --git a/meta-security/meta-tpm/recipes-tpm/libtpm/files/Convert-another-vdprintf-to-dprintf.patch b/meta-security/meta-tpm/recipes-tpm/libtpm/files/Convert-another-vdprintf-to-dprintf.patch new file mode 100644 index 000000000..9e1021a23 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/libtpm/files/Convert-another-vdprintf-to-dprintf.patch @@ -0,0 +1,26 @@ +From 09e7dd42e5201d079bad70e9f7cc6033ce1c7cad Mon Sep 17 00:00:00 2001 +From: Stefan Berger <stefanb@linux.vnet.ibm.com> +Date: Fri, 3 Feb 2017 10:58:22 -0500 +Subject: [PATCH] Convert another vdprintf to dprintf + +Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> +Upstream-Status: Backport +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + src/tpm_library.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: git/src/tpm_library.c +=================================================================== +--- git.orig/src/tpm_library.c ++++ git/src/tpm_library.c +@@ -427,7 +427,7 @@ void TPMLIB_LogPrintfA(unsigned int inde + indent = sizeof(spaces) - 1; + memset(spaces, ' ', indent); + spaces[indent] = 0; +- vdprintf(debug_fd, spaces, NULL); ++ dprintf(debug_fd, "%s", spaces); + } + + va_start(args, format); diff --git a/meta-security/meta-tpm/recipes-tpm/libtpm/files/Use-format-s-for-call-to-dprintf.patch b/meta-security/meta-tpm/recipes-tpm/libtpm/files/Use-format-s-for-call-to-dprintf.patch new file mode 100644 index 000000000..a71b5c1c7 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/libtpm/files/Use-format-s-for-call-to-dprintf.patch @@ -0,0 +1,33 @@ +From 6a9b4e5d70f770aa9ca31e3e6d3b1ae72c192070 Mon Sep 17 00:00:00 2001 +From: Stefan Berger <stefanb@linux.vnet.ibm.com> +Date: Tue, 31 Jan 2017 20:10:51 -0500 +Subject: [PATCH] Use format '%s' for call to dprintf + +Fix the dprintf call to use a format parameter that otherwise causes +errors with gcc on certain platforms. + +Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> + +Upstream-Status: Backport +replaces local patch +Signed-off-by: Armin Kuster <akuster@mvsita.com> + +--- + src/tpm_library.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +Index: git/src/tpm_library.c +=================================================================== +--- git.orig/src/tpm_library.c ++++ git/src/tpm_library.c +@@ -405,8 +405,8 @@ int TPMLIB_LogPrintf(const char *format, + } + + if (debug_prefix) +- dprintf(debug_fd, debug_prefix); +- dprintf(debug_fd, buffer); ++ dprintf(debug_fd, "%s", debug_prefix); ++ dprintf(debug_fd, "%s", buffer); + + return i; + } diff --git a/meta-security/meta-tpm/recipes-tpm/libtpm/files/fix_signed_issue.patch b/meta-security/meta-tpm/recipes-tpm/libtpm/files/fix_signed_issue.patch new file mode 100644 index 000000000..fc13aa544 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/libtpm/files/fix_signed_issue.patch @@ -0,0 +1,48 @@ +Upstream-Status: Pending +Signed-off-by: Armin kuster <akuster808@gmail.com> + +Index: git/src/swtpm/ctrlchannel.c +=================================================================== +--- git.orig/src/swtpm/ctrlchannel.c ++++ git/src/swtpm/ctrlchannel.c +@@ -152,7 +152,8 @@ static int ctrlchannel_receive_state(ptm + uint32_t tpm_number = 0; + unsigned char *blob = NULL; + uint32_t blob_length = be32toh(pss->u.req.length); +- uint32_t remain = blob_length, offset = 0; ++ ssize_t remain = (ssize_t) blob_length; ++ uint32_t offset = 0; + TPM_RESULT res; + uint32_t flags = be32toh(pss->u.req.state_flags); + TPM_BOOL is_encrypted = (flags & PTM_STATE_FLAG_ENCRYPTED) != 0; +Index: git/src/swtpm_ioctl/tpm_ioctl.c +=================================================================== +--- git.orig/src/swtpm_ioctl/tpm_ioctl.c ++++ git/src/swtpm_ioctl/tpm_ioctl.c +@@ -303,7 +303,7 @@ static int do_save_state_blob(int fd, bo + numbytes = write(file_fd, pgs.u.resp.data, + devtoh32(is_chardev, pgs.u.resp.length)); + +- if (numbytes != devtoh32(is_chardev, pgs.u.resp.length)) { ++ if (numbytes != (ssize_t) devtoh32(is_chardev, pgs.u.resp.length)) { + fprintf(stderr, + "Could not write to file '%s': %s\n", + filename, strerror(errno)); +@@ -420,7 +420,7 @@ static int do_load_state_blob(int fd, bo + had_error = true; + break; + } +- pss.u.req.length = htodev32(is_chardev, numbytes); ++ pss.u.req.length = htodev32(is_chardev, (uint32_t) numbytes); + + /* the returnsize is zero on all intermediate packets */ + returnsize = ((size_t)numbytes < sizeof(pss.u.req.data)) +@@ -863,7 +863,7 @@ int main(int argc, char *argv[]) + return EXIT_FAILURE; + } + /* no tpm_result here */ +- printf("ptm capability is 0x%lx\n", (uint64_t)devtoh64(is_chardev, cap)); ++ printf("ptm capability is 0x%llx\n", (uint64_t)devtoh64(is_chardev, cap)); + + } else if (!strcmp(command, "-i")) { + init.u.req.init_flags = htodev32(is_chardev, PTM_INIT_FLAG_DELETE_VOLATILE); diff --git a/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_1.0.bb b/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_1.0.bb new file mode 100644 index 000000000..b29ec6bbe --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_1.0.bb @@ -0,0 +1,18 @@ +SUMMARY = "LIBPM - Software TPM Library" +LICENSE = "BSD-3-Clause" +LIC_FILES_CHKSUM = "file://LICENSE;md5=97e5eea8d700d76b3ddfd35c4c96485f" + +SRCREV = "3388d45082bdc588c6fc0672f44d6d7d0aaa86ff" +SRC_URI = " \ + git://github.com/stefanberger/libtpms.git \ + " + +S = "${WORKDIR}/git" +inherit autotools-brokensep pkgconfig + +PACKAGECONFIG ?= "openssl" +PACKAGECONFIG[openssl] = "--with-openssl, --without-openssl, openssl" + +PV = "1.0+git${SRCPV}" + +BBCLASSEXTEND = "native" diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch new file mode 100644 index 000000000..67071b605 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch @@ -0,0 +1,99 @@ +commit 16dac0cb7b73b8a7088300e45b98ac20819b03ed +Author: Junxian.Xiao <Junxian.Xiao@windriver.com> +Date: Wed Jun 19 18:57:13 2013 +0800 + +support well-known password in openssl-tpm-engine. + +Add "-z" option to select well known password in create_tpm_key tool. + +Signed-off-by: Junxian.Xiao <Junxian.Xiao@windriver.com> + +diff --git a/create_tpm_key.c b/create_tpm_key.c +index fee917f..7b94d62 100644 +--- a/create_tpm_key.c ++++ b/create_tpm_key.c +@@ -46,6 +46,8 @@ + #include <trousers/tss.h> + #include <trousers/trousers.h> + ++#define TPM_WELL_KNOWN_KEY_LEN 20 /*well know key length is 20 bytes zero*/ ++ + #define print_error(a,b) \ + fprintf(stderr, "%s:%d %s result: 0x%x (%s)\n", __FILE__, __LINE__, \ + a, b, Trspi_Error_String(b)) +@@ -70,6 +72,7 @@ usage(char *argv0) + "\t\t-e|--enc-scheme encryption scheme to use [PKCSV15] or OAEP\n" + "\t\t-q|--sig-scheme signature scheme to use [DER] or SHA1\n" + "\t\t-s|--key-size key size in bits [2048]\n" ++ "\t\t-z|--zerokey use well known 20 bytes zero as SRK password.\n" + "\t\t-a|--auth require a password for the key [NO]\n" + "\t\t-p|--popup use TSS GUI popup dialogs to get the password " + "for the\n\t\t\t\t key [NO] (implies --auth)\n" +@@ -147,6 +150,7 @@ int main(int argc, char **argv) + int asn1_len; + char *filename, c, *openssl_key = NULL; + int option_index, auth = 0, popup = 0, wrap = 0; ++ int wellknownkey = 0; + UINT32 enc_scheme = TSS_ES_RSAESPKCSV15; + UINT32 sig_scheme = TSS_SS_RSASSAPKCS1V15_DER; + UINT32 key_size = 2048; +@@ -154,12 +158,15 @@ int main(int argc, char **argv) + + while (1) { + option_index = 0; +- c = getopt_long(argc, argv, "pe:q:s:ahw:", ++ c = getopt_long(argc, argv, "pe:q:s:zahw:", + long_options, &option_index); + if (c == -1) + break; + + switch (c) { ++ case 'z': ++ wellknownkey = 1; ++ break; + case 'a': + initFlags |= TSS_KEY_AUTHORIZATION; + auth = 1; +@@ -293,6 +300,8 @@ int main(int argc, char **argv) + + if (srk_authusage) { + char *authdata = calloc(1, 128); ++ TSS_FLAG secretMode = TSS_SECRET_MODE_PLAIN; ++ int authlen = 0; + + if (!authdata) { + fprintf(stderr, "malloc failed.\n"); +@@ -309,17 +318,26 @@ int main(int argc, char **argv) + exit(result); + } + +- if (EVP_read_pw_string(authdata, 128, "SRK Password: ", 0)) { +- Tspi_Context_CloseObject(hContext, hKey); +- Tspi_Context_Close(hContext); +- free(authdata); +- exit(result); ++ if (wellknownkey) { ++ memset(authdata, 0, TPM_WELL_KNOWN_KEY_LEN); ++ secretMode = TSS_SECRET_MODE_SHA1; ++ authlen = TPM_WELL_KNOWN_KEY_LEN; ++ } ++ else { ++ if (EVP_read_pw_string(authdata, 128, "SRK Password: ", 0)) { ++ Tspi_Context_CloseObject(hContext, hKey); ++ Tspi_Context_Close(hContext); ++ free(authdata); ++ exit(result); ++ } ++ secretMode = TSS_SECRET_MODE_PLAIN; ++ authlen = strlen(authdata); + } + + //Set Secret + if ((result = Tspi_Policy_SetSecret(srkUsagePolicy, +- TSS_SECRET_MODE_PLAIN, +- strlen(authdata), ++ secretMode, ++ authlen, + (BYTE *)authdata))) { + print_error("Tspi_Policy_SetSecret", result); + free(authdata); diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch new file mode 100644 index 000000000..f718f2e64 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch @@ -0,0 +1,80 @@ +commit 16dac0cb7b73b8a7088300e45b98ac20819b03ed +Author: Junxian.Xiao <Junxian.Xiao@windriver.com> +Date: Wed Jun 19 18:57:13 2013 +0800 + +support reading SRK password from env TPM_SRK_PW + +Add "env TPM_SRK_PW=xxxx" to set password for libtpm.so. Specially, +use "env TPM_SRK_PW=#WELLKNOWN#" to set well known password. + +Signed-off-by: Junxian.Xiao <Junxian.Xiao@windriver.com> + +diff --git a/e_tpm.c b/e_tpm.c +index f3e8bcf..7dcb75a 100644 +--- a/e_tpm.c ++++ b/e_tpm.c +@@ -38,6 +38,8 @@ + + #include "e_tpm.h" + ++#define TPM_WELL_KNOWN_KEY_LEN 20 /*well know key length is 20 bytes zero*/ ++ + //#define DLOPEN_TSPI + + #ifndef OPENSSL_NO_HW +@@ -248,6 +250,10 @@ int tpm_load_srk(UI_METHOD *ui, void *cb_data) + TSS_RESULT result; + UINT32 authusage; + BYTE *auth; ++ char *srkPasswd = NULL; ++ TSS_FLAG secretMode = secret_mode; ++ int authlen = 0; ++ + + if (hSRK != NULL_HKEY) { + DBGFN("SRK is already loaded."); +@@ -299,18 +305,36 @@ int tpm_load_srk(UI_METHOD *ui, void *cb_data) + return 0; + } + +- if (!tpm_engine_get_auth(ui, (char *)auth, 128, "SRK authorization: ", +- cb_data)) { +- Tspi_Context_CloseObject(hContext, hSRK); +- free(auth); +- TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED); +- return 0; ++ srkPasswd = getenv("TPM_SRK_PW"); ++ if (NULL != srkPasswd) { ++ if (0 == strcmp(srkPasswd, "#WELLKNOWN#")) { ++ memset(auth, 0, TPM_WELL_KNOWN_KEY_LEN); ++ secretMode = TSS_SECRET_MODE_SHA1; ++ authlen = TPM_WELL_KNOWN_KEY_LEN; ++ } else { ++ int authbuflen = 128; ++ memset(auth, 0, authbuflen); ++ strncpy(auth, srkPasswd, authbuflen-1); ++ secretMode = TSS_SECRET_MODE_PLAIN; ++ authlen = strlen(auth); ++ } ++ } ++ else { ++ if (!tpm_engine_get_auth(ui, (char *)auth, 128, ++ "SRK authorization: ", cb_data)) { ++ Tspi_Context_CloseObject(hContext, hSRK); ++ free(auth); ++ TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED); ++ return 0; ++ } ++ secretMode = secret_mode; ++ authlen = strlen(auth); + } + + /* secret_mode is a global that may be set by engine ctrl + * commands. By default, its set to TSS_SECRET_MODE_PLAIN */ +- if ((result = Tspi_Policy_SetSecret(hSRKPolicy, secret_mode, +- strlen((char *)auth), auth))) { ++ if ((result = Tspi_Policy_SetSecret(hSRKPolicy, secretMode, ++ authlen, auth))) { + Tspi_Context_CloseObject(hContext, hSRK); + free(auth); + TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED); diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-Fix-not-building-libtpm.la.patch b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-Fix-not-building-libtpm.la.patch new file mode 100644 index 000000000..d24a150e5 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-Fix-not-building-libtpm.la.patch @@ -0,0 +1,25 @@ +From 7848445a1f4c750ef73bf96f5e89d402f87a1756 Mon Sep 17 00:00:00 2001 +From: Lans Zhang <jia.zhang@windriver.com> +Date: Mon, 19 Jun 2017 14:54:28 +0800 +Subject: [PATCH] Fix not building libtpm.la + +Signed-off-by: Lans Zhang <jia.zhang@windriver.com> +--- + Makefile.am | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/Makefile.am b/Makefile.am +index 6695656..634a7e6 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -10,4 +10,6 @@ libtpm_la_LIBADD=-lcrypto -lc -ltspi + libtpm_la_SOURCES=e_tpm.c e_tpm.h e_tpm_err.c + + create_tpm_key_SOURCES=create_tpm_key.c +-create_tpm_key_LDADD=-ltspi ++create_tpm_key_LDFLAGS=-ltspi ++ ++LDADD=libtpm.la +-- +2.7.5 + diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch new file mode 100644 index 000000000..a88148fe4 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch @@ -0,0 +1,254 @@ +From eb28ad92a2722fd30f8114840cf2b1ade26b80ee Mon Sep 17 00:00:00 2001 +From: Limeng <Meng.Li@windriver.com> +Date: Fri, 23 Jun 2017 11:39:04 +0800 +Subject: [PATCH] tpm:openssl-tpm-engine:parse an encrypted tpm SRK password + from env + +Before, we support reading SRK password from env TPM_SRK_PW, +but it is a plain password and not secure. +So, we improve it and support to get an encrypted (AES algorithm) +SRK password from env, and then parse it. The default decrypting +AES password and salt is set in bb file. +When we initialize TPM, and set a SRK pw, and then we need to +encrypt it with the same AES password and salt by AES algorithm. +At last, we set a env as below: +export TPM_SRK_ENC_PW=xxxxxxxx +"xxxxxxxx" is the encrypted SRK password for libtpm.so. + +Signed-off-by: Meng Li <Meng.Li@windriver.com> +--- + e_tpm.c | 157 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++- + e_tpm.h | 4 ++ + e_tpm_err.c | 4 ++ + 3 files changed, 164 insertions(+), 1 deletion(-) + +diff --git a/e_tpm.c b/e_tpm.c +index 7dcb75a..11bf74b 100644 +--- a/e_tpm.c ++++ b/e_tpm.c +@@ -245,6 +245,118 @@ void ENGINE_load_tpm(void) + ERR_clear_error(); + } + ++static int tpm_decode_base64(unsigned char *indata, ++ int in_len, ++ unsigned char *outdata, ++ int *out_len) ++{ ++ int total_len, len, ret; ++ EVP_ENCODE_CTX dctx; ++ ++ EVP_DecodeInit(&dctx); ++ ++ total_len = 0; ++ ret = EVP_DecodeUpdate(&dctx, outdata, &len, indata, in_len); ++ if (ret < 0) { ++ TSSerr(TPM_F_TPM_DECODE_BASE64, TPM_R_DECODE_BASE64_FAILED); ++ return 1; ++ } ++ ++ total_len += len; ++ ret = EVP_DecodeFinal(&dctx, outdata, &len); ++ if (ret < 0) { ++ TSSerr(TPM_F_TPM_DECODE_BASE64, TPM_R_DECODE_BASE64_FAILED); ++ return 1; ++ } ++ total_len += len; ++ ++ *out_len = total_len; ++ ++ return 0; ++} ++ ++static int tpm_decrypt_srk_pw(unsigned char *indata, int in_len, ++ unsigned char *outdata, ++ int *out_len) ++{ ++ int dec_data_len, dec_data_lenfinal; ++ unsigned char dec_data[256]; ++ unsigned char *aes_pw; ++ unsigned char aes_salt[PKCS5_SALT_LEN]; ++ unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH]; ++ const EVP_CIPHER *cipher = NULL; ++ const EVP_MD *dgst = NULL; ++ EVP_CIPHER_CTX *ctx = NULL; ++ ++ if (sizeof(SRK_DEC_SALT) - 1 > PKCS5_SALT_LEN) { ++ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED); ++ return 1; ++ } ++ ++ aes_pw = malloc(sizeof(SRK_DEC_PW) - 1); ++ if (aes_pw == NULL) { ++ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED); ++ return 1; ++ } ++ ++ memset(aes_salt, 0x00, sizeof(aes_salt)); ++ memcpy(aes_pw, SRK_DEC_PW, sizeof(SRK_DEC_PW) - 1); ++ memcpy(aes_salt, SRK_DEC_SALT, sizeof(SRK_DEC_SALT) - 1); ++ ++ cipher = EVP_get_cipherbyname("aes-128-cbc"); ++ if (cipher == NULL) { ++ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED); ++ free(aes_pw); ++ return 1; ++ } ++ dgst = EVP_sha256(); ++ ++ EVP_BytesToKey(cipher, dgst, aes_salt, (unsigned char *)aes_pw, sizeof(SRK_DEC_PW) - 1, 1, key, iv); ++ ++ ctx = EVP_CIPHER_CTX_new(); ++ /* Don't set key or IV right away; we want to check lengths */ ++ if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, 0)) { ++ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED); ++ free(aes_pw); ++ return 1; ++ } ++ ++ OPENSSL_assert(EVP_CIPHER_CTX_key_length(ctx) == 16); ++ OPENSSL_assert(EVP_CIPHER_CTX_iv_length(ctx) == 16); ++ ++ if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, 0)) { ++ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED); ++ free(aes_pw); ++ return 1; ++ } ++ ++ if (!EVP_CipherUpdate(ctx, dec_data, &dec_data_len, indata, in_len)) { ++ /* Error */ ++ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED); ++ free(aes_pw); ++ EVP_CIPHER_CTX_free(ctx); ++ return 1; ++ } ++ ++ if (!EVP_CipherFinal_ex(ctx, dec_data + dec_data_len, &dec_data_lenfinal)) { ++ /* Error */ ++ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED); ++ free(aes_pw); ++ EVP_CIPHER_CTX_free(ctx); ++ return 1; ++ } ++ ++ dec_data_len = dec_data_len + dec_data_lenfinal; ++ ++ memcpy(outdata, dec_data, dec_data_len); ++ *out_len = dec_data_len; ++ ++ free(aes_pw); ++ EVP_CIPHER_CTX_free(ctx); ++ ++ return 0; ++} ++ + int tpm_load_srk(UI_METHOD *ui, void *cb_data) + { + TSS_RESULT result; +@@ -305,8 +417,50 @@ int tpm_load_srk(UI_METHOD *ui, void *cb_data) + return 0; + } + +- srkPasswd = getenv("TPM_SRK_PW"); ++ srkPasswd = getenv("TPM_SRK_ENC_PW"); + if (NULL != srkPasswd) { ++ int in_len = strlen(srkPasswd); ++ int out_len; ++ unsigned char *out_buf; ++ ++ if (!in_len || in_len % 4) { ++ Tspi_Context_CloseObject(hContext, hSRK); ++ free(auth); ++ TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED); ++ return 0; ++ } ++ ++ out_len = in_len * 3 / 4; ++ out_buf = malloc(out_len); ++ if (NULL == out_buf) { ++ Tspi_Context_CloseObject(hContext, hSRK); ++ free(auth); ++ TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED); ++ return 0; ++ } ++ ++ if (tpm_decode_base64(srkPasswd, strlen(srkPasswd), ++ out_buf, &out_len)) { ++ Tspi_Context_CloseObject(hContext, hSRK); ++ free(auth); ++ free(out_buf); ++ TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED); ++ return 0; ++ } ++ ++ if (tpm_decrypt_srk_pw(out_buf, out_len, ++ auth, &authlen)) { ++ Tspi_Context_CloseObject(hContext, hSRK); ++ free(auth); ++ free(out_buf); ++ TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED); ++ return 0; ++ } ++ secretMode = TSS_SECRET_MODE_PLAIN; ++ free(out_buf); ++ } ++#ifdef TPM_SRK_PLAIN_PW ++ else if (NULL != (srkPasswd = getenv("TPM_SRK_PW")) { + if (0 == strcmp(srkPasswd, "#WELLKNOWN#")) { + memset(auth, 0, TPM_WELL_KNOWN_KEY_LEN); + secretMode = TSS_SECRET_MODE_SHA1; +@@ -319,6 +473,7 @@ int tpm_load_srk(UI_METHOD *ui, void *cb_data) + authlen = strlen(auth); + } + } ++#endif + else { + if (!tpm_engine_get_auth(ui, (char *)auth, 128, + "SRK authorization: ", cb_data)) { +diff --git a/e_tpm.h b/e_tpm.h +index 6316e0b..56ff202 100644 +--- a/e_tpm.h ++++ b/e_tpm.h +@@ -66,6 +66,8 @@ void ERR_TSS_error(int function, int reason, char *file, int line); + #define TPM_F_TPM_FILL_RSA_OBJECT 116 + #define TPM_F_TPM_ENGINE_GET_AUTH 117 + #define TPM_F_TPM_CREATE_SRK_POLICY 118 ++#define TPM_F_TPM_DECODE_BASE64 119 ++#define TPM_F_TPM_DECRYPT_SRK_PW 120 + + /* Reason codes. */ + #define TPM_R_ALREADY_LOADED 100 +@@ -96,6 +98,8 @@ void ERR_TSS_error(int function, int reason, char *file, int line); + #define TPM_R_ID_INVALID 125 + #define TPM_R_UI_METHOD_FAILED 126 + #define TPM_R_UNKNOWN_SECRET_MODE 127 ++#define TPM_R_DECODE_BASE64_FAILED 128 ++#define TPM_R_DECRYPT_SRK_PW_FAILED 129 + + /* structure pointed to by the RSA object's app_data pointer */ + struct rsa_app_data +diff --git a/e_tpm_err.c b/e_tpm_err.c +index 25a5d0f..439e267 100644 +--- a/e_tpm_err.c ++++ b/e_tpm_err.c +@@ -235,6 +235,8 @@ static ERR_STRING_DATA TPM_str_functs[] = { + {ERR_PACK(0, TPM_F_TPM_BIND_FN, 0), "TPM_BIND_FN"}, + {ERR_PACK(0, TPM_F_TPM_FILL_RSA_OBJECT, 0), "TPM_FILL_RSA_OBJECT"}, + {ERR_PACK(0, TPM_F_TPM_ENGINE_GET_AUTH, 0), "TPM_ENGINE_GET_AUTH"}, ++ {ERR_PACK(0, TPM_F_TPM_DECODE_BASE64, 0), "TPM_DECODE_BASE64"}, ++ {ERR_PACK(0, TPM_F_TPM_DECRYPT_SRK_PW, 0), "TPM_DECRYPT_SRK_PW"}, + {0, NULL} + }; + +@@ -265,6 +267,8 @@ static ERR_STRING_DATA TPM_str_reasons[] = { + {TPM_R_FILE_READ_FAILED, "failed reading the key file"}, + {TPM_R_ID_INVALID, "engine id doesn't match"}, + {TPM_R_UI_METHOD_FAILED, "ui function failed"}, ++ {TPM_R_DECODE_BASE64_FAILED, "decode base64 failed"}, ++ {TPM_R_DECRYPT_SRK_PW_FAILED, "decrypt srk password failed"}, + {0, NULL} + }; + +-- +2.9.3 + diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch new file mode 100644 index 000000000..076704de8 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch @@ -0,0 +1,34 @@ +From fb44e2814fd819c086f9a4c925427f89c0e8cec6 Mon Sep 17 00:00:00 2001 +From: Limeng <Meng.Li@windriver.com> +Date: Fri, 21 Jul 2017 16:32:02 +0800 +Subject: [PATCH] tpm:openssl-tpm-engine: change variable c type from char + into int + +refer to getopt_long() function definition, its return value type is +int. So, change variable c type from char into int. +On arm platform, when getopt_long() calling fails, if we define c as +char type, its value will be 255, not -1. This will cause code enter +wrong case. + +Signed-off-by: Meng Li <Meng.Li@windriver.com> +--- + create_tpm_key.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/create_tpm_key.c b/create_tpm_key.c +index 7b94d62..f30af90 100644 +--- a/create_tpm_key.c ++++ b/create_tpm_key.c +@@ -148,7 +148,8 @@ int main(int argc, char **argv) + ASN1_OCTET_STRING *blob_str; + unsigned char *blob_asn1 = NULL; + int asn1_len; +- char *filename, c, *openssl_key = NULL; ++ char *filename, *openssl_key = NULL; ++ int c; + int option_index, auth = 0, popup = 0, wrap = 0; + int wellknownkey = 0; + UINT32 enc_scheme = TSS_ES_RSAESPKCSV15; +-- +1.7.9.5 + diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.4.2.bb b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.4.2.bb new file mode 100644 index 000000000..4854f70e3 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.4.2.bb @@ -0,0 +1,78 @@ +DESCRIPTION = "OpenSSL secure engine based on TPM hardware" +HOMEPAGE = "https://sourceforge.net/projects/trousers/" +SECTION = "security/tpm" + +LICENSE = "openssl" +LIC_FILES_CHKSUM = "file://LICENSE;md5=11f0ee3af475c85b907426e285c9bb52" + +DEPENDS += "openssl trousers" + +SRC_URI = "\ + git://git.code.sf.net/p/trousers/openssl_tpm_engine \ + file://0001-create-tpm-key-support-well-known-key-option.patch \ + file://0002-libtpm-support-env-TPM_SRK_PW.patch \ + file://0003-Fix-not-building-libtpm.la.patch \ + file://0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch \ + file://0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch \ +" +SRCREV = "bbc2b1af809f20686e0d3553a62f0175742c0d60" + +S = "${WORKDIR}/git" + +inherit autotools-brokensep + +# The definitions below are used to decrypt the srk password. +# It is allowed to define the values in 3 forms: string, hex number and +# the hybrid, e.g, +# srk_dec_pw = "incendia" +# srk_dec_pw = "\x69\x6e\x63\x65\x6e\x64\x69\x61" +# srk_dec_pw = "\x1""nc""\x3""nd""\x1""a" +# +# Due to the limit of escape character, the hybrid must be written in +# above style. The actual values defined below in C code style are: +# srk_dec_pw[] = { 0x01, 'n', 'c', 0x03, 'n', 'd', 0x01, 'a' }; +# srk_dec_salt[] = { 'r', 0x00, 0x00, 't' }; +srk_dec_pw ?= "\\"\\\x1\\"\\"nc\\"\\"\\\x3\\"\\"nd\\"\\"\\\x1\\"\\"a\\"" +srk_dec_salt ?= "\\"r\\"\\"\\\x00\\\x00\\"\\"t\\"" + +CFLAGS_append += "-DSRK_DEC_PW=${srk_dec_pw} -DSRK_DEC_SALT=${srk_dec_salt}" + +# Uncomment below line if using the plain srk password for development +#CFLAGS_append += "-DTPM_SRK_PLAIN_PW" + +do_configure_prepend() { + cd "${S}" + cp LICENSE COPYING + touch NEWS AUTHORS ChangeLog +} + +do_install_append() { + install -m 0755 -d "${D}${libdir}/engines" + install -m 0755 -d "${D}${prefix}/local/ssl/lib/engines" + install -m 0755 -d "${D}${libdir}/ssl/engines" + + cp -f "${D}${libdir}/openssl/engines/libtpm.so.0.0.0" "${D}${libdir}/libtpm.so.0" + cp -f "${D}${libdir}/openssl/engines/libtpm.so.0.0.0" "${D}${libdir}/engines/libtpm.so" + cp -f "${D}${libdir}/openssl/engines/libtpm.so.0.0.0" "${D}${prefix}/local/ssl/lib/engines/libtpm.so" + mv -f "${D}${libdir}/openssl/engines/libtpm.so.0.0.0" "${D}${libdir}/ssl/engines/libtpm.so" + mv -f "${D}${libdir}/openssl/engines/libtpm.la" "${D}${libdir}/ssl/engines/libtpm.la" + rm -rf "${D}${libdir}/openssl" +} + +FILES_${PN}-staticdev += "${libdir}/ssl/engines/libtpm.la" +FILES_${PN}-dbg += "\ + ${libdir}/ssl/engines/.debug \ + ${libdir}/engines/.debug \ + ${prefix}/local/ssl/lib/engines/.debug \ +" +FILES_${PN} += "\ + ${libdir}/ssl/engines/libtpm.so* \ + ${libdir}/engines/libtpm.so* \ + ${libdir}/libtpm.so* \ + ${prefix}/local/ssl/lib/engines/libtpm.so* \ +" + +RDEPENDS_${PN} += "libcrypto libtspi" + +INSANE_SKIP_${PN} = "libdir" +INSANE_SKIP_${PN}-dbg = "libdir" diff --git a/meta-security/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb b/meta-security/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb new file mode 100644 index 000000000..0cc4f6370 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb @@ -0,0 +1,25 @@ +SUMMARY = "Command line utility to extend hash of arbitrary data into a TPMs PCR." +HOMEPAGE = "https://github.com/flihp/pcr-extend" +SECTION = "security/tpm" +LICENSE = "GPLv2" +LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" + +DEPENDS = "libtspi" + +PV = "0.1+git${SRCPV}" +SRCREV = "c02ad8f628b3d99f6d4c087b402fe31a40ee6316" + +SRC_URI = "git://github.com/flihp/pcr-extend.git " + +inherit autotools + +S = "${WORKDIR}/git" + +do_compile() { + oe_runmake -C ${S}/src +} + +do_install() { + install -d ${D}${bindir} + oe_runmake -C ${S}/src DESTDIR="${D}" install +} diff --git a/meta-security/meta-tpm/recipes-tpm/swtpm/files/fix_fcntl_h.patch b/meta-security/meta-tpm/recipes-tpm/swtpm/files/fix_fcntl_h.patch new file mode 100644 index 000000000..3d1643120 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/swtpm/files/fix_fcntl_h.patch @@ -0,0 +1,31 @@ +From 8750a6c3f0b4d9e7e45b4079150d29eb44774e9c Mon Sep 17 00:00:00 2001 +From: Armin Kuster <akuster@mvista.com> +Date: Tue, 14 Mar 2017 22:59:36 -0700 +Subject: [PATCH 2/4] logging: Fix musl build issue with fcntl + + error: #warning redirecting incorrect #include <sys/fcntl.h> to <fcntl.h> [-Werror=cpp] + #warning redirecting incorrect #include <sys/fcntl.h> to <fcntl. + +Upstream-Status: Pending +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + src/swtpm/logging.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/swtpm/logging.c b/src/swtpm/logging.c +index f16cab6..7da8606 100644 +--- a/src/swtpm/logging.c ++++ b/src/swtpm/logging.c +@@ -45,7 +45,7 @@ + #include <errno.h> + #include <string.h> + #include <sys/types.h> +-#include <sys/fcntl.h> ++#include <fcntl.h> + #include <sys/stat.h> + #include <stdio.h> + #include <stdlib.h> +-- +2.11.0 + diff --git a/meta-security/meta-tpm/recipes-tpm/swtpm/files/fix_lib_search_path.patch b/meta-security/meta-tpm/recipes-tpm/swtpm/files/fix_lib_search_path.patch new file mode 100644 index 000000000..60958f763 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/swtpm/files/fix_lib_search_path.patch @@ -0,0 +1,66 @@ +From 672bb4ee625da3141ba6cecb0601c7563de4c483 Mon Sep 17 00:00:00 2001 +From: Armin Kuster <akuster808@gmail.com> +Date: Thu, 13 Oct 2016 02:03:56 -0700 +Subject: [PATCH 1/4] swtpm: add new package + +Upstream-Status: Inappropriate [OE config] + +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +Rebased to current tip. + +Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> + +--- + configure.ac | 34 ++++++++++------------------------ + 1 file changed, 10 insertions(+), 24 deletions(-) + +diff --git a/configure.ac b/configure.ac +index abf5be1..85ed6ac 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -395,31 +395,17 @@ CFLAGS="$CFLAGS -Wformat -Wformat-security" + dnl We have to make sure libtpms is using the same crypto library + dnl to avoid problems + AC_MSG_CHECKING([the crypto library libtpms is using]) +-dirs=$($CC $CFLAGS -Xlinker --verbose 2>/dev/null | \ +- sed -n '/SEARCH_DIR/p' | \ +- sed 's/SEARCH_DIR("\(@<:@^"@:>@*\)"); */\1 /g' | \ +- sed 's|=/|/|g') +-for dir in $dirs $LIBRARY_PATH; do +- if test -r $dir/libtpms.so; then +- if test -n "`ldd $dir/libtpms.so | grep libcrypto.so`"; then +- libtpms_cryptolib="openssl" +- break +- fi +- if test -n "`ldd $dir/libtpms.so | grep libnss3.so`"; then +- libtpms_cryptolib="freebl" +- break +- fi ++dir="$SEARCH_DIR" ++if test -r $dir/libtpms.so; then ++ if test -n "`ldd $dir/libtpms.so | grep libcrypto.so`"; then ++ libtpms_cryptolib="openssl" ++ break + fi +- case $host_os in +- cygwin|openbsd*) +- if test -r $dir/libtpms.a; then +- if test -n "$(nm $dir/libtpms.a | grep "U AES_encrypt")"; then +- libtpms_cryptolib="openssl" +- fi +- fi +- ;; +- esac +-done ++ if test -n "`ldd $dir/libtpms.so | grep libnss3.so`"; then ++ libtpms_cryptolib="freebl" ++ break ++ fi ++fi + + if test -z "$libtpms_cryptolib"; then + AC_MSG_ERROR([Could not determine libtpms crypto library.]) +-- +2.11.0 + diff --git a/meta-security/meta-tpm/recipes-tpm/swtpm/files/ioctl_h.patch b/meta-security/meta-tpm/recipes-tpm/swtpm/files/ioctl_h.patch new file mode 100644 index 000000000..d736bc66f --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/swtpm/files/ioctl_h.patch @@ -0,0 +1,22 @@ +tpm_ioctl: fix musl for missing ioctl + +tpm_ioctl.c: In function 'ioctl_to_cmd': +tpm_ioctl.c:86:26: error: '_IOC_NRSHIFT' undeclared (first use in this function) + return ((ioctlnum >> _IOC_NRSHIFT) & _IOC_NRMASK) + 1; + + +Upstream-status: +Signed-off-by: Armin Kuster <akuster@mvista.com> + +Index: git/src/swtpm_ioctl/tpm_ioctl.c +=================================================================== +--- git.orig/src/swtpm_ioctl/tpm_ioctl.c ++++ git/src/swtpm_ioctl/tpm_ioctl.c +@@ -58,6 +58,7 @@ + #include <fcntl.h> + #include <unistd.h> + #include <sys/ioctl.h> ++#include <asm/ioctl.h> + #include <getopt.h> + #include <sys/un.h> + #include <sys/types.h> diff --git a/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm-wrappers-native.bb b/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm-wrappers-native.bb new file mode 100644 index 000000000..644f3ac13 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm-wrappers-native.bb @@ -0,0 +1,53 @@ +SUMMARY = "SWTPM - OpenEmbedded wrapper scripts for native swtpm tools" +LICENSE = "MIT" +DEPENDS = "swtpm-native tpm-tools-native net-tools-native" + +inherit native + +# The whole point of the recipe is to make files available +# for use after the build is done, so don't clean up... +RM_WORK_EXCLUDE += "${PN}" + +do_create_wrapper () { + # Wrap (almost) all swtpm binaries. Some get special wrappers and some + # are not needed. + for i in `find ${bindir} ${base_bindir} ${sbindir} ${base_sbindir} -name 'swtpm*' -perm /+x -type f`; do + exe=`basename $i` + case $exe in + swtpm_setup.sh) + cat >${WORKDIR}/swtpm_setup_oe.sh <<EOF +#! /bin/sh +# +# Wrapper around swtpm_setup.sh which adds parameters required to +# run the setup as non-root directly from the native sysroot. + +PATH="${bindir}:${base_bindir}:${sbindir}:${base_sbindir}:\$PATH" +export PATH + +# tcsd only allows to be run as root or tss. Pretend to be root... +exec env ${FAKEROOTENV} ${FAKEROOTCMD} swtpm_setup.sh --config ${STAGING_DIR_NATIVE}/etc/swtpm_setup.conf "\$@" +EOF + ;; + swtpm_setup) + true + ;; + *) + cat >${WORKDIR}/${exe}_oe.sh <<EOF +#! /bin/sh +# +# Wrapper around $exe which makes it easier to invoke +# the right binary. + +PATH="${bindir}:${base_bindir}:${sbindir}:${base_sbindir}:\$PATH" +export PATH + +exec ${exe} "\$@" +EOF + ;; + esac + done + + chmod a+rx ${WORKDIR}/*.sh +} + +addtask do_create_wrapper before do_build after do_prepare_recipe_sysroot diff --git a/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_1.0.bb b/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_1.0.bb new file mode 100644 index 000000000..747602000 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_1.0.bb @@ -0,0 +1,61 @@ +SUMMARY = "SWTPM - Software TPM Emulator" +LICENSE = "BSD-3-Clause" +LIC_FILES_CHKSUM = "file://LICENSE;md5=fe8092c832b71ef20dfe4c6d3decb3a8" +SECTION = "apps" + +DEPENDS = "libtasn1 expect socat glib-2.0 libtpm libtpm-native" + +# configure checks for the tools already during compilation and +# then swtpm_setup needs them at runtime +DEPENDS += "tpm-tools-native expect-native socat-native" +RDEPENDS_${PN} += "tpm-tools" + +SRCREV = "4f4f2f0a7e3195f6df8d235d58630a08e69403d8" +SRC_URI = "git://github.com/stefanberger/swtpm.git \ + file://fix_lib_search_path.patch \ + file://fix_fcntl_h.patch \ + file://ioctl_h.patch \ + " + +S = "${WORKDIR}/git" + +inherit autotools-brokensep pkgconfig +PARALLEL_MAKE = "" + +TSS_USER="tss" +TSS_GROUP="tss" + +PACKAGECONFIG ?= "openssl cuse" +PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}" +PACKAGECONFIG[openssl] = "--with-openssl, --without-openssl, openssl" +PACKAGECONFIG[gnutls] = "--with-gnutls, --without-gnutls, gnutls" +PACKAGECONFIG[selinux] = "--with-selinux, --without-selinux, libselinux" +PACKAGECONFIG[cuse] = "--with-cuse, --without-cuse, fuse" + +EXTRA_OECONF += "--with-tss-user=${TSS_USER} --with-tss-group=${TSS_GROUP}" + +export SEARCH_DIR = "${STAGING_LIBDIR_NATIVE}" + +# dup bootstrap +do_configure_prepend () { + libtoolize --force --copy + autoheader + aclocal + automake --add-missing -c + autoconf +} + +USERADD_PACKAGES = "${PN}" +GROUPADD_PARAM_${PN} = "--system ${TSS_USER}" +USERADD_PARAM_${PN} = "--system -g ${TSS_GROUP} --home-dir \ + --no-create-home --shell /bin/false ${BPN}" + +RDEPENDS_${PN} = "libtpm expect socat bash" + +BBCLASSEXTEND = "native nativesdk" + +python() { + if 'cuse' in d.getVar('PACKAGECONFIG') and \ + 'filesystems-layer' not in d.getVar('BBFILE_COLLECTIONS').split(): + raise bb.parse.SkipRecipe('Cuse enabled which requires meta-filesystems to be present.') +} diff --git a/meta-security/meta-tpm/recipes-tpm/tpm-quote-tools/tpm-quote-tools_1.0.4.bb b/meta-security/meta-tpm/recipes-tpm/tpm-quote-tools/tpm-quote-tools_1.0.4.bb new file mode 100644 index 000000000..8486d0016 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/tpm-quote-tools/tpm-quote-tools_1.0.4.bb @@ -0,0 +1,23 @@ +SUMMARY = "The TPM Quote Tools is a collection of programs that provide support \ + for TPM based attestation using the TPM quote mechanism. \ + " +DESCRIPTION = "The TPM Quote Tools is a collection of programs that provide support \ + for TPM based attestation using the TPM quote mechanism. The manual \ + page for tpm_quote_tools provides a usage overview. \ + \ + TPM Quote Tools has been tested with TrouSerS on Linux and NTRU on \ + Windows XP. It was ported to Windows using MinGW and MSYS. \ + " +HOMEPAGE = "https://sourceforge.net/projects/tpmquotetools/" +SECTION = "security/tpm" +LICENSE = "BSD-3-Clause" +LIC_FILES_CHKSUM = "file://COPYING;md5=8ec30b01163d242ecf07d9cd84e3611f" + +DEPENDS = "libtspi tpm-tools" + +SRC_URI = "${SOURCEFORGE_MIRROR}/tpmquotetools/${PV}/${BP}.tar.gz" + +SRC_URI[md5sum] = "6e194f5bc534301bbaef53dc6d22c233" +SRC_URI[sha256sum] = "10dc4eade02635557a9496b388360844cd18e7864e2eb882f5e45ab2fa405ae2" + +inherit autotools diff --git a/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/tpm-tools-extendpcr.patch b/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/tpm-tools-extendpcr.patch new file mode 100644 index 000000000..ab5e68320 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/tpm-tools-extendpcr.patch @@ -0,0 +1,244 @@ +Index: tpm-tools-1.3.8/include/tpm_tspi.h +=================================================================== +--- tpm-tools-1.3.8.orig/include/tpm_tspi.h 2011-08-17 08:20:35.000000000 -0400 ++++ tpm-tools-1.3.8/include/tpm_tspi.h 2013-01-05 23:26:31.571598217 -0500 +@@ -117,6 +117,10 @@ + UINT32 *a_PcrSize, BYTE **a_PcrValue); + TSS_RESULT pcrcompositeSetPcrValue(TSS_HPCRS a_hPcrs, UINT32 a_Idx, + UINT32 a_PcrSize, BYTE *a_PcrValue); ++TSS_RESULT tpmPcrExtend(TSS_HTPM a_hTpm, UINT32 a_Idx, ++ UINT32 a_DataSize, BYTE *a_Data, ++ TSS_PCR_EVENT *a_Event, ++ UINT32 *a_PcrSize, BYTE **a_PcrValue); + #ifdef TSS_LIB_IS_12 + TSS_RESULT unloadVersionInfo(UINT64 *offset, BYTE *blob, TPM_CAP_VERSION_INFO *v); + TSS_RESULT pcrcompositeSetPcrLocality(TSS_HPCRS a_hPcrs, UINT32 localityValue); +Index: tpm-tools-1.3.8/lib/tpm_tspi.c +=================================================================== +--- tpm-tools-1.3.8.orig/lib/tpm_tspi.c 2011-08-17 08:20:35.000000000 -0400 ++++ tpm-tools-1.3.8/lib/tpm_tspi.c 2013-01-05 23:27:37.731593490 -0500 +@@ -594,6 +594,20 @@ + return result; + } + ++TSS_RESULT ++tpmPcrExtend(TSS_HTPM a_hTpm, UINT32 a_Idx, ++ UINT32 a_DataSize, BYTE *a_Data, ++ TSS_PCR_EVENT *a_Event, ++ UINT32 *a_PcrSize, BYTE **a_PcrValue) ++{ ++ TSS_RESULT result = ++ Tspi_TPM_PcrExtend(a_hTpm, a_Idx, a_DataSize, a_Data, a_Event, ++ a_PcrSize, a_PcrValue); ++ tspiResult("Tspi_TPM_PcrExtend", result); ++ ++ return result; ++} ++ + #ifdef TSS_LIB_IS_12 + /* + * These getPasswd functions will wrap calls to the other functions and check to see if the TSS +Index: tpm-tools-1.3.8/src/cmds/Makefile.am +=================================================================== +--- tpm-tools-1.3.8.orig/src/cmds/Makefile.am 2011-08-15 13:52:08.000000000 -0400 ++++ tpm-tools-1.3.8/src/cmds/Makefile.am 2013-01-05 23:30:46.223593698 -0500 +@@ -22,6 +22,7 @@ + # + + bin_PROGRAMS = tpm_sealdata \ ++ tpm_extendpcr \ + tpm_unsealdata + + if TSS_LIB_IS_12 +@@ -33,4 +34,5 @@ + LDADD = $(top_builddir)/lib/libtpm_tspi.la -ltspi $(top_builddir)/lib/libtpm_unseal.la -ltpm_unseal -lcrypto + + tpm_sealdata_SOURCES = tpm_sealdata.c ++tpm_extendpcr_SOURCES = tpm_extendpcr.c + tpm_unsealdata_SOURCES = tpm_unsealdata.c +Index: tpm-tools-1.3.8/src/cmds/tpm_extendpcr.c +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ tpm-tools-1.3.8/src/cmds/tpm_extendpcr.c 2013-01-05 23:37:43.403585514 -0500 +@@ -0,0 +1,181 @@ ++/* ++ * The Initial Developer of the Original Code is International ++ * Business Machines Corporation. Portions created by IBM ++ * Corporation are Copyright (C) 2005, 2006 International Business ++ * Machines Corporation. All Rights Reserved. ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the Common Public License as published by ++ * IBM Corporation; either version 1 of the License, or (at your option) ++ * any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * Common Public License for more details. ++ * ++ * You should have received a copy of the Common Public License ++ * along with this program; if not, a copy can be viewed at ++ * http://www.opensource.org/licenses/cpl1.0.php. ++ */ ++#include <openssl/evp.h> ++#include <openssl/sha.h> ++#include <limits.h> ++#include "tpm_tspi.h" ++#include "tpm_utils.h" ++#include "tpm_seal.h" ++ ++// #define TPM_EXTENDPCR_DEBUG ++ ++static void help(const char *aCmd) ++{ ++ logCmdHelp(aCmd); ++ logCmdOption("-i, --infile FILE", ++ _ ++ ("Filename containing data to extend PCRs with. Default is STDIN.")); ++ logCmdOption("-p, --pcr NUMBER", ++ _("PCR to extend.")); ++ ++} ++ ++static char in_filename[PATH_MAX] = ""; ++static TSS_HPCRS hPcrs = NULL_HPCRS; ++static TSS_HTPM hTpm; ++static UINT32 selectedPcrs[24]; ++static UINT32 selectedPcrsLen = 0; ++TSS_HCONTEXT hContext = 0; ++ ++static int parse(const int aOpt, const char *aArg) ++{ ++ int rc = -1; ++ ++ switch (aOpt) { ++ case 'i': ++ if (aArg) { ++ strncpy(in_filename, aArg, PATH_MAX); ++ rc = 0; ++ } ++ break; ++ case 'p': ++ if (aArg) { ++ selectedPcrs[selectedPcrsLen++] = atoi(aArg); ++ rc = 0; ++ } ++ break; ++ default: ++ break; ++ } ++ return rc; ++ ++} ++ ++int main(int argc, char **argv) ++{ ++ ++ int iRc = -1; ++ struct option opts[] = { ++ {"infile", required_argument, NULL, 'i'}, ++ {"pcr", required_argument, NULL, 'p'}, ++ }; ++ unsigned char line[EVP_MD_block_size(EVP_sha1()) * 16]; ++ int lineLen; ++ UINT32 i; ++ ++ BIO *bin = NULL; ++ ++ initIntlSys(); ++ ++ if (genericOptHandler(argc, argv, "i:p:", opts, ++ sizeof(opts) / sizeof(struct option), parse, ++ help) != 0) ++ goto out; ++ ++ if (contextCreate(&hContext) != TSS_SUCCESS) ++ goto out; ++ ++ if (contextConnect(hContext) != TSS_SUCCESS) ++ goto out_close; ++ ++ if (contextGetTpm(hContext, &hTpm) != TSS_SUCCESS) ++ goto out_close; ++ ++ /* Create a BIO for the input file */ ++ if ((bin = BIO_new(BIO_s_file())) == NULL) { ++ logError(_("Unable to open input BIO\n")); ++ goto out_close; ++ } ++ ++ /* Assign the input file to the BIO */ ++ if (strlen(in_filename) == 0) ++ BIO_set_fp(bin, stdin, BIO_NOCLOSE); ++ else if (!BIO_read_filename(bin, in_filename)) { ++ logError(_("Unable to open input file: %s\n"), ++ in_filename); ++ goto out_close; ++ } ++ ++ /* Create the PCRs object. If any PCRs above 15 are selected, this will need to be ++ * a 1.2 TSS/TPM */ ++ if (selectedPcrsLen) { ++ TSS_FLAG initFlag = 0; ++ UINT32 pcrSize; ++ BYTE *pcrValue; ++ ++ for (i = 0; i < selectedPcrsLen; i++) { ++ if (selectedPcrs[i] > 15) { ++#ifdef TSS_LIB_IS_12 ++ initFlag |= TSS_PCRS_STRUCT_INFO_LONG; ++#else ++ logError(_("This version of %s was compiled for a v1.1 TSS, which " ++ "can only seal\n data to PCRs 0-15. PCR %u is out of range" ++ "\n"), argv[0], selectedPcrs[i]); ++ goto out_close; ++#endif ++ } ++ } ++ ++ unsigned char msg[EVP_MAX_MD_SIZE]; ++ unsigned int msglen; ++ EVP_MD_CTX ctx; ++ EVP_DigestInit(&ctx, EVP_sha1()); ++ while ((lineLen = BIO_read(bin, line, sizeof(line))) > 0) ++ EVP_DigestUpdate(&ctx, line, lineLen); ++ EVP_DigestFinal(&ctx, msg, &msglen); ++ ++ if (contextCreateObject(hContext, TSS_OBJECT_TYPE_PCRS, initFlag, ++ &hPcrs) != TSS_SUCCESS) ++ goto out_close; ++ ++ for (i = 0; i < selectedPcrsLen; i++) { ++#ifdef TPM_EXTENDPCR_DEBUG ++ if (tpmPcrRead(hTpm, selectedPcrs[i], &pcrSize, &pcrValue) != TSS_SUCCESS) ++ goto out_close; ++ ++ unsigned int j; ++ for (j = 0; j < pcrSize; j++) ++ printf("%02X ", pcrValue[j]); ++ printf("\n"); ++#endif ++ ++ if (tpmPcrExtend(hTpm, selectedPcrs[i], msglen, msg, NULL, &pcrSize, &pcrValue) != TSS_SUCCESS) ++ goto out_close; ++ ++#ifdef TPM_EXTENDPCR_DEBUG ++ for (j = 0; j < pcrSize; j++) ++ printf("%02X ", pcrValue[j]); ++ printf("\n"); ++#endif ++ } ++ } ++ ++ iRc = 0; ++ logSuccess(argv[0]); ++ ++out_close: ++ contextClose(hContext); ++ ++out: ++ if (bin) ++ BIO_free(bin); ++ return iRc; ++} diff --git a/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_git.bb b/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_git.bb new file mode 100644 index 000000000..f670bffce --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_git.bb @@ -0,0 +1,35 @@ +SUMMARY = "The tpm-tools package contains commands to allow the platform administrator the ability to manage and diagnose the platform's TPM." +DESCRIPTION = " \ + The tpm-tools package contains commands to allow the platform administrator \ + the ability to manage and diagnose the platform's TPM. Additionally, the \ + package contains commands to utilize some of the capabilities available \ + in the TPM PKCS#11 interface implemented in the openCryptoki project. \ + " +SECTION = "tpm" +LICENSE = "CPL-1.0" +LIC_FILES_CHKSUM = "file://LICENSE;md5=059e8cd6165cb4c31e351f2b69388fd9" + +DEPENDS = "libtspi openssl" +DEPENDS_class-native = "trousers-native" + +SRCREV = "5c5126bedf2da97906358adcfb8c43c86e7dd0ee" +SRC_URI = " \ + git://git.code.sf.net/p/trousers/tpm-tools \ + file://tpm-tools-extendpcr.patch \ + " + +PV = "1.3.9.1+git${SRCPV}" + +inherit autotools-brokensep gettext + +S = "${WORKDIR}/git" + +do_configure_prepend () { + mkdir -p po + mkdir -p m4 + cp -R po_/* po/ + touch po/Makefile.in.in + touch m4/Makefile.am +} + +BBCLASSEXTEND = "native" diff --git a/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/files/tpm2-abrmd-init.sh b/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/files/tpm2-abrmd-init.sh new file mode 100644 index 000000000..c8dfb7de3 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/files/tpm2-abrmd-init.sh @@ -0,0 +1,65 @@ +#!/bin/sh + +### BEGIN INIT INFO +# Provides: tpm2-abrmd +# Required-Start: $local_fs $remote_fs $network +# Required-Stop: $local_fs $remote_fs $network +# Should-Start: +# Should-Stop: +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: starts tpm2-abrmd +# Description: tpm2-abrmd implements the TCG resource manager +### END INIT INFO + +PATH=/sbin:/bin:/usr/sbin:/usr/bin +DAEMON=/usr/sbin/tpm2-abrmd +NAME=tpm2-abrmd +DESC="TCG TSS2 Access Broker and Resource Management daemon" +USER="tss" + +test -x "${DAEMON}" || exit 0 + +# Read configuration variable file if it is present +[ -r /etc/default/$NAME ] && . /etc/default/$NAME + +case "${1}" in + start) + echo -n "Starting $DESC: " + + if [ ! -e /dev/tpm* ] + then + echo "device driver not loaded, skipping." + exit 0 + fi + + start-stop-daemon --start --quiet --oknodo --background --pidfile /var/run/${NAME}.pid --user ${USER} --chuid ${USER} --exec ${DAEMON} -- ${DAEMON_OPTS} + RETVAL="$?" + echo "$NAME." + [ "$RETVAL" = 0 ] && pidof $DAEMON > /var/run/${NAME}.pid + exit $RETVAL + ;; + + stop) + echo -n "Stopping $DESC: " + + start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/${NAME}.pid --user ${USER} --exec ${DAEMON} + RETVAL="$?" + echo "$NAME." + rm -f /var/run/${NAME}.pid + exit $RETVAL + ;; + + restart|force-reload) + "${0}" stop + sleep 1 + "${0}" start + exit $? + ;; + *) + echo "Usage: ${NAME} {start|stop|restart|force-reload|status}" >&2 + exit 3 + ;; +esac + +exit 0 diff --git a/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/files/tpm2-abrmd.default b/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/files/tpm2-abrmd.default new file mode 100644 index 000000000..987978a66 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/files/tpm2-abrmd.default @@ -0,0 +1 @@ +DAEMON_OPTS="--tcti=device --logger=syslog --max-connections=20 --max-transient-objects=20 --fail-on-loaded-trans" diff --git a/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/tpm2-abrmd_1.2.0.bb b/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/tpm2-abrmd_1.2.0.bb new file mode 100644 index 000000000..a5d6843b9 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/tpm2-abrmd_1.2.0.bb @@ -0,0 +1,54 @@ +SUMMARY = "TPM2 Access Broker & Resource Manager" +DESCRIPTION = "This is a system daemon implementing the TPM2 access \ +broker (TAB) & Resource Manager (RM) spec from the TCG. The daemon (tpm2-abrmd) \ +is implemented using Glib and the GObject system. In this documentation and \ +in the code we use `tpm2-abrmd` and `tabrmd` interchangeably. \ +" +SECTION = "security/tpm" + +LICENSE = "BSD-2-Clause" +LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da" + +DEPENDS += "autoconf-archive dbus glib-2.0 pkgconfig tpm2.0-tss glib-2.0-native" + +SRC_URI = "\ + git://github.com/01org/tpm2-abrmd.git \ + file://tpm2-abrmd-init.sh \ + file://tpm2-abrmd.default \ +" +SRCREV = "59ce1008e5fa3bd5a143437b0f7390851fd25bd8" + +S = "${WORKDIR}/git" + +inherit autotools pkgconfig systemd update-rc.d useradd + +SYSTEMD_PACKAGES += "${PN}" +SYSTEMD_SERVICE_${PN} = "tpm2-abrmd.service" +SYSTEMD_AUTO_ENABLE_${PN} = "disable" + +INITSCRIPT_NAME = "${PN}" +INITSCRIPT_PARAMS = "start 99 2 3 4 5 . stop 19 0 1 6 ." + +USERADD_PACKAGES = "${PN}" +GROUPADD_PARAM_${PN} = "tss" +USERADD_PARAM_${PN} = "--system -M -d /var/lib/tpm -s /bin/false -g tss tss" + +PACKAGECONFIG ?="udev" +PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES','systemd','systemd', '', d)}" + +PACKAGECONFIG[systemd] = "--with-systemdsystemunitdir=${systemd_system_unitdir}, --with-systemdsystemunitdir=no" +PACKAGECONFIG[udev] = "--with-udevrulesdir=${sysconfdir}/udev/rules.d, --without-udevrulesdir" + +do_install_append() { + install -d "${D}${sysconfdir}/init.d" + install -m 0755 "${WORKDIR}/tpm2-abrmd-init.sh" "${D}${sysconfdir}/init.d/tpm2-abrmd" + + install -d "${D}${sysconfdir}/default" + install -m 0644 "${WORKDIR}/tpm2-abrmd.default" "${D}${sysconfdir}/default/tpm2-abrmd" +} + +FILES_${PN} += "${libdir}/systemd/system-preset" + +RDEPENDS_${PN} += "libgcc dbus-glib libtss2 libtctidevice libtctisocket" + +BBCLASSEXTEND = "native" diff --git a/meta-security/meta-tpm/recipes-tpm/tpm2.0-tools/tpm2.0-tools_git.bb b/meta-security/meta-tpm/recipes-tpm/tpm2.0-tools/tpm2.0-tools_git.bb new file mode 100644 index 000000000..7ec12fc73 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/tpm2.0-tools/tpm2.0-tools_git.bb @@ -0,0 +1,18 @@ +SUMMARY = "Tools for TPM2." +DESCRIPTION = "tpm2.0-tools" +LICENSE = "BSD" +LIC_FILES_CHKSUM = "file://LICENSE;md5=91b7c548d73ea16537799e8060cea819" +SECTION = "tpm" + +DEPENDS = "pkgconfig tpm2.0-tss openssl curl autoconf-archive" + +# July 10, 2017 +SRCREV = "26c0557040c1cf8107fa3ebbcf2a5b07cc84b881" + +SRC_URI = "git://github.com/01org/tpm2.0-tools.git;name=tpm2.0-tools;destsuffix=tpm2.0-tools" + +S = "${WORKDIR}/tpm2.0-tools" + +PV = "2.0.0+git${SRCPV}" + +inherit autotools pkgconfig diff --git a/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss/ax_pthread.m4 b/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss/ax_pthread.m4 new file mode 100644 index 000000000..d383ad5c6 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss/ax_pthread.m4 @@ -0,0 +1,332 @@ +# =========================================================================== +# http://www.gnu.org/software/autoconf-archive/ax_pthread.html +# =========================================================================== +# +# SYNOPSIS +# +# AX_PTHREAD([ACTION-IF-FOUND[, ACTION-IF-NOT-FOUND]]) +# +# DESCRIPTION +# +# This macro figures out how to build C programs using POSIX threads. It +# sets the PTHREAD_LIBS output variable to the threads library and linker +# flags, and the PTHREAD_CFLAGS output variable to any special C compiler +# flags that are needed. (The user can also force certain compiler +# flags/libs to be tested by setting these environment variables.) +# +# Also sets PTHREAD_CC to any special C compiler that is needed for +# multi-threaded programs (defaults to the value of CC otherwise). (This +# is necessary on AIX to use the special cc_r compiler alias.) +# +# NOTE: You are assumed to not only compile your program with these flags, +# but also link it with them as well. e.g. you should link with +# $PTHREAD_CC $CFLAGS $PTHREAD_CFLAGS $LDFLAGS ... $PTHREAD_LIBS $LIBS +# +# If you are only building threads programs, you may wish to use these +# variables in your default LIBS, CFLAGS, and CC: +# +# LIBS="$PTHREAD_LIBS $LIBS" +# CFLAGS="$CFLAGS $PTHREAD_CFLAGS" +# CC="$PTHREAD_CC" +# +# In addition, if the PTHREAD_CREATE_JOINABLE thread-attribute constant +# has a nonstandard name, defines PTHREAD_CREATE_JOINABLE to that name +# (e.g. PTHREAD_CREATE_UNDETACHED on AIX). +# +# Also HAVE_PTHREAD_PRIO_INHERIT is defined if pthread is found and the +# PTHREAD_PRIO_INHERIT symbol is defined when compiling with +# PTHREAD_CFLAGS. +# +# ACTION-IF-FOUND is a list of shell commands to run if a threads library +# is found, and ACTION-IF-NOT-FOUND is a list of commands to run it if it +# is not found. If ACTION-IF-FOUND is not specified, the default action +# will define HAVE_PTHREAD. +# +# Please let the authors know if this macro fails on any platform, or if +# you have any other suggestions or comments. This macro was based on work +# by SGJ on autoconf scripts for FFTW (http://www.fftw.org/) (with help +# from M. Frigo), as well as ac_pthread and hb_pthread macros posted by +# Alejandro Forero Cuervo to the autoconf macro repository. We are also +# grateful for the helpful feedback of numerous users. +# +# Updated for Autoconf 2.68 by Daniel Richard G. +# +# LICENSE +# +# Copyright (c) 2008 Steven G. Johnson <stevenj@alum.mit.edu> +# Copyright (c) 2011 Daniel Richard G. <skunk@iSKUNK.ORG> +# +# This program is free software: you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General +# Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program. If not, see <http://www.gnu.org/licenses/>. +# +# As a special exception, the respective Autoconf Macro's copyright owner +# gives unlimited permission to copy, distribute and modify the configure +# scripts that are the output of Autoconf when processing the Macro. You +# need not follow the terms of the GNU General Public License when using +# or distributing such scripts, even though portions of the text of the +# Macro appear in them. The GNU General Public License (GPL) does govern +# all other use of the material that constitutes the Autoconf Macro. +# +# This special exception to the GPL applies to versions of the Autoconf +# Macro released by the Autoconf Archive. When you make and distribute a +# modified version of the Autoconf Macro, you may extend this special +# exception to the GPL to apply to your modified version as well. + +#serial 21 + +AU_ALIAS([ACX_PTHREAD], [AX_PTHREAD]) +AC_DEFUN([AX_PTHREAD], [ +AC_REQUIRE([AC_CANONICAL_HOST]) +AC_LANG_PUSH([C]) +ax_pthread_ok=no + +# We used to check for pthread.h first, but this fails if pthread.h +# requires special compiler flags (e.g. on True64 or Sequent). +# It gets checked for in the link test anyway. + +# First of all, check if the user has set any of the PTHREAD_LIBS, +# etcetera environment variables, and if threads linking works using +# them: +if test x"$PTHREAD_LIBS$PTHREAD_CFLAGS" != x; then + save_CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS $PTHREAD_CFLAGS" + save_LIBS="$LIBS" + LIBS="$PTHREAD_LIBS $LIBS" + AC_MSG_CHECKING([for pthread_join in LIBS=$PTHREAD_LIBS with CFLAGS=$PTHREAD_CFLAGS]) + AC_TRY_LINK_FUNC([pthread_join], [ax_pthread_ok=yes]) + AC_MSG_RESULT([$ax_pthread_ok]) + if test x"$ax_pthread_ok" = xno; then + PTHREAD_LIBS="" + PTHREAD_CFLAGS="" + fi + LIBS="$save_LIBS" + CFLAGS="$save_CFLAGS" +fi + +# We must check for the threads library under a number of different +# names; the ordering is very important because some systems +# (e.g. DEC) have both -lpthread and -lpthreads, where one of the +# libraries is broken (non-POSIX). + +# Create a list of thread flags to try. Items starting with a "-" are +# C compiler flags, and other items are library names, except for "none" +# which indicates that we try without any flags at all, and "pthread-config" +# which is a program returning the flags for the Pth emulation library. + +ax_pthread_flags="pthreads none -Kthread -kthread lthread -pthread -pthreads -mthreads pthread --thread-safe -mt pthread-config" + +# The ordering *is* (sometimes) important. Some notes on the +# individual items follow: + +# pthreads: AIX (must check this before -lpthread) +# none: in case threads are in libc; should be tried before -Kthread and +# other compiler flags to prevent continual compiler warnings +# -Kthread: Sequent (threads in libc, but -Kthread needed for pthread.h) +# -kthread: FreeBSD kernel threads (preferred to -pthread since SMP-able) +# lthread: LinuxThreads port on FreeBSD (also preferred to -pthread) +# -pthread: Linux/gcc (kernel threads), BSD/gcc (userland threads) +# -pthreads: Solaris/gcc +# -mthreads: Mingw32/gcc, Lynx/gcc +# -mt: Sun Workshop C (may only link SunOS threads [-lthread], but it +# doesn't hurt to check since this sometimes defines pthreads too; +# also defines -D_REENTRANT) +# ... -mt is also the pthreads flag for HP/aCC +# pthread: Linux, etcetera +# --thread-safe: KAI C++ +# pthread-config: use pthread-config program (for GNU Pth library) + +case ${host_os} in + solaris*) + + # On Solaris (at least, for some versions), libc contains stubbed + # (non-functional) versions of the pthreads routines, so link-based + # tests will erroneously succeed. (We need to link with -pthreads/-mt/ + # -lpthread.) (The stubs are missing pthread_cleanup_push, or rather + # a function called by this macro, so we could check for that, but + # who knows whether they'll stub that too in a future libc.) So, + # we'll just look for -pthreads and -lpthread first: + + ax_pthread_flags="-pthreads pthread -mt -pthread $ax_pthread_flags" + ;; + + darwin*) + ax_pthread_flags="-pthread $ax_pthread_flags" + ;; +esac + +# Clang doesn't consider unrecognized options an error unless we specify +# -Werror. We throw in some extra Clang-specific options to ensure that +# this doesn't happen for GCC, which also accepts -Werror. + +AC_MSG_CHECKING([if compiler needs -Werror to reject unknown flags]) +save_CFLAGS="$CFLAGS" +ax_pthread_extra_flags="-Werror" +CFLAGS="$CFLAGS $ax_pthread_extra_flags -Wunknown-warning-option -Wsizeof-array-argument" +AC_COMPILE_IFELSE([AC_LANG_PROGRAM([int foo(void);],[foo()])], + [AC_MSG_RESULT([yes])], + [ax_pthread_extra_flags= + AC_MSG_RESULT([no])]) +CFLAGS="$save_CFLAGS" + +if test x"$ax_pthread_ok" = xno; then +for flag in $ax_pthread_flags; do + + case $flag in + none) + AC_MSG_CHECKING([whether pthreads work without any flags]) + ;; + + -*) + AC_MSG_CHECKING([whether pthreads work with $flag]) + PTHREAD_CFLAGS="$flag" + ;; + + pthread-config) + AC_CHECK_PROG([ax_pthread_config], [pthread-config], [yes], [no]) + if test x"$ax_pthread_config" = xno; then continue; fi + PTHREAD_CFLAGS="`pthread-config --cflags`" + PTHREAD_LIBS="`pthread-config --ldflags` `pthread-config --libs`" + ;; + + *) + AC_MSG_CHECKING([for the pthreads library -l$flag]) + PTHREAD_LIBS="-l$flag" + ;; + esac + + save_LIBS="$LIBS" + save_CFLAGS="$CFLAGS" + LIBS="$PTHREAD_LIBS $LIBS" + CFLAGS="$CFLAGS $PTHREAD_CFLAGS $ax_pthread_extra_flags" + + # Check for various functions. We must include pthread.h, + # since some functions may be macros. (On the Sequent, we + # need a special flag -Kthread to make this header compile.) + # We check for pthread_join because it is in -lpthread on IRIX + # while pthread_create is in libc. We check for pthread_attr_init + # due to DEC craziness with -lpthreads. We check for + # pthread_cleanup_push because it is one of the few pthread + # functions on Solaris that doesn't have a non-functional libc stub. + # We try pthread_create on general principles. + AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <pthread.h> + static void routine(void *a) { a = 0; } + static void *start_routine(void *a) { return a; }], + [pthread_t th; pthread_attr_t attr; + pthread_create(&th, 0, start_routine, 0); + pthread_join(th, 0); + pthread_attr_init(&attr); + pthread_cleanup_push(routine, 0); + pthread_cleanup_pop(0) /* ; */])], + [ax_pthread_ok=yes], + []) + + LIBS="$save_LIBS" + CFLAGS="$save_CFLAGS" + + AC_MSG_RESULT([$ax_pthread_ok]) + if test "x$ax_pthread_ok" = xyes; then + break; + fi + + PTHREAD_LIBS="" + PTHREAD_CFLAGS="" +done +fi + +# Various other checks: +if test "x$ax_pthread_ok" = xyes; then + save_LIBS="$LIBS" + LIBS="$PTHREAD_LIBS $LIBS" + save_CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS $PTHREAD_CFLAGS" + + # Detect AIX lossage: JOINABLE attribute is called UNDETACHED. + AC_MSG_CHECKING([for joinable pthread attribute]) + attr_name=unknown + for attr in PTHREAD_CREATE_JOINABLE PTHREAD_CREATE_UNDETACHED; do + AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <pthread.h>], + [int attr = $attr; return attr /* ; */])], + [attr_name=$attr; break], + []) + done + AC_MSG_RESULT([$attr_name]) + if test "$attr_name" != PTHREAD_CREATE_JOINABLE; then + AC_DEFINE_UNQUOTED([PTHREAD_CREATE_JOINABLE], [$attr_name], + [Define to necessary symbol if this constant + uses a non-standard name on your system.]) + fi + + AC_MSG_CHECKING([if more special flags are required for pthreads]) + flag=no + case ${host_os} in + aix* | freebsd* | darwin*) flag="-D_THREAD_SAFE";; + osf* | hpux*) flag="-D_REENTRANT";; + solaris*) + if test "$GCC" = "yes"; then + flag="-D_REENTRANT" + else + # TODO: What about Clang on Solaris? + flag="-mt -D_REENTRANT" + fi + ;; + esac + AC_MSG_RESULT([$flag]) + if test "x$flag" != xno; then + PTHREAD_CFLAGS="$flag $PTHREAD_CFLAGS" + fi + + AC_CACHE_CHECK([for PTHREAD_PRIO_INHERIT], + [ax_cv_PTHREAD_PRIO_INHERIT], [ + AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <pthread.h>]], + [[int i = PTHREAD_PRIO_INHERIT;]])], + [ax_cv_PTHREAD_PRIO_INHERIT=yes], + [ax_cv_PTHREAD_PRIO_INHERIT=no]) + ]) + AS_IF([test "x$ax_cv_PTHREAD_PRIO_INHERIT" = "xyes"], + [AC_DEFINE([HAVE_PTHREAD_PRIO_INHERIT], [1], [Have PTHREAD_PRIO_INHERIT.])]) + + LIBS="$save_LIBS" + CFLAGS="$save_CFLAGS" + + # More AIX lossage: compile with *_r variant + if test "x$GCC" != xyes; then + case $host_os in + aix*) + AS_CASE(["x/$CC"], + [x*/c89|x*/c89_128|x*/c99|x*/c99_128|x*/cc|x*/cc128|x*/xlc|x*/xlc_v6|x*/xlc128|x*/xlc128_v6], + [#handle absolute path differently from PATH based program lookup + AS_CASE(["x$CC"], + [x/*], + [AS_IF([AS_EXECUTABLE_P([${CC}_r])],[PTHREAD_CC="${CC}_r"])], + [AC_CHECK_PROGS([PTHREAD_CC],[${CC}_r],[$CC])])]) + ;; + esac + fi +fi + +test -n "$PTHREAD_CC" || PTHREAD_CC="$CC" + +AC_SUBST([PTHREAD_LIBS]) +AC_SUBST([PTHREAD_CFLAGS]) +AC_SUBST([PTHREAD_CC]) + +# Finally, execute ACTION-IF-FOUND/ACTION-IF-NOT-FOUND: +if test x"$ax_pthread_ok" = xyes; then + ifelse([$1],,[AC_DEFINE([HAVE_PTHREAD],[1],[Define if you have POSIX threads libraries and header files.])],[$1]) + : +else + ax_pthread_ok=no + $2 +fi +AC_LANG_POP +])dnl AX_PTHREAD diff --git a/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss/fix_musl_select_include.patch b/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss/fix_musl_select_include.patch new file mode 100644 index 000000000..ecaca6ea5 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss/fix_musl_select_include.patch @@ -0,0 +1,31 @@ +This fixes musl build issue do to missing FD_* defines. +Add sys/select.h + +Upstream-Status: Pending + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +Index: TPM2.0-TSS/tcti/tcti_socket.cpp +=================================================================== +--- TPM2.0-TSS.orig/tcti/tcti_socket.cpp ++++ TPM2.0-TSS/tcti/tcti_socket.cpp +@@ -28,6 +28,7 @@ + #include <stdio.h> + #include <stdlib.h> // Needed for _wtoi + ++#include "sys/select.h" + #include <sapi/tpm20.h> + #include <tcti/tcti_socket.h> + #include "sysapi_util.h" +Index: TPM2.0-TSS/resourcemgr/resourcemgr.c +=================================================================== +--- TPM2.0-TSS.orig/resourcemgr/resourcemgr.c ++++ TPM2.0-TSS/resourcemgr/resourcemgr.c +@@ -28,6 +28,7 @@ + #include <stdio.h> + #include <stdlib.h> // Needed for _wtoi + ++#include "sys/select.h" + #include <sapi/tpm20.h> + #include <tcti/tcti_device.h> + #include <tcti/tcti_socket.h> diff --git a/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss_1.3.0.bb b/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss_1.3.0.bb new file mode 100644 index 000000000..b673c2bfd --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss_1.3.0.bb @@ -0,0 +1,99 @@ +SUMMARY = "Software stack for TPM2." +DESCRIPTION = "tpm2.0-tss like woah." +LICENSE = "BSD-2-Clause" +LIC_FILES_CHKSUM = "file://LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da" +SECTION = "tpm" + +DEPENDS = "autoconf-archive pkgconfig" + +SRCREV = "b1d9ece8c6bea2e3043943b2edfaebcdca330c38" + +SRC_URI = " \ + git://github.com/tpm2-software/tpm2-tss.git;branch=1.x \ + file://ax_pthread.m4 \ +" + +inherit autotools pkgconfig systemd + +S = "${WORKDIR}/git" + +do_configure_prepend () { + mkdir -p ${S}/m4 + cp ${WORKDIR}/ax_pthread.m4 ${S}/m4 + # execute the bootstrap script + currentdir=$(pwd) + cd ${S} + ACLOCAL="aclocal --system-acdir=${STAGING_DATADIR}/aclocal" ./bootstrap + cd $currentdir +} + +INHERIT += "extrausers" +EXTRA_USERS_PARAMS = "\ + useradd -p '' tss; \ + groupadd tss; \ + " + +SYSTEMD_PACKAGES = "resourcemgr" +SYSTEMD_SERVICE_resourcemgr = "resourcemgr.service" +SYSTEMD_AUTO_ENABLE_resourcemgr = "enable" + +do_patch[postfuncs] += "${@bb.utils.contains('VIRTUAL-RUNTIME_init_manager','systemd','fix_systemd_unit','', d)}" +fix_systemd_unit () { + sed -i -e 's;^ExecStart=.*/resourcemgr;ExecStart=${sbindir}/resourcemgr;' ${S}/contrib/resourcemgr.service +} + +do_install_append() { + if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then + install -d ${D}${systemd_system_unitdir} + install -m0644 ${S}/contrib/resourcemgr.service ${D}${systemd_system_unitdir}/resourcemgr.service + fi +} + +PROVIDES = "${PACKAGES}" +PACKAGES = " \ + ${PN}-dbg \ + ${PN}-doc \ + libtss2 \ + libtss2-dev \ + libtss2-staticdev \ + libtctidevice \ + libtctidevice-dev \ + libtctidevice-staticdev \ + libtctisocket \ + libtctisocket-dev \ + libtctisocket-staticdev \ + resourcemgr \ +" + +FILES_libtss2 = " \ + ${libdir}/libsapi.so.0.0.0 \ + ${libdir}/libmarshal.so.0.0.0 \ +" +FILES_libtss2-dev = " \ + ${includedir}/sapi \ + ${includedir}/tcti/common.h \ + ${libdir}/libsapi.so* \ + ${libdir}/libmarshal.so* \ + ${libdir}/pkgconfig/sapi.pc \ +" +FILES_libtss2-staticdev = " \ + ${libdir}/libsapi.a \ + ${libdir}/libsapi.la \ + ${libdir}/libmarshal.a \ + ${libdir}/libmarshal.la \ +" +FILES_libtctidevice = "${libdir}/libtcti-device.so.0.0.0" +FILES_libtctidevice-dev = " \ + ${includedir}/tcti/tcti_device.h \ + ${libdir}/libtcti-device.so* \ + ${libdir}/pkgconfig/tcti-device.pc \ +" +FILES_libtctidevice-staticdev = "${libdir}/libtcti-device.*a" +FILES_libtctisocket = "${libdir}/libtcti-socket.so.0.0.0" +FILES_libtctisocket-dev = " \ + ${includedir}/tcti/tcti_socket.h \ + ${libdir}/libtcti-socket.so* \ + ${libdir}/pkgconfig/tcti-socket.pc \ +" +FILES_libtctisocket-staticdev = "${libdir}/libtcti-socket.*a" +FILES_resourcemgr = "${sbindir}/resourcemgr ${systemd_system_unitdir}/resourcemgr.service" diff --git a/meta-security/meta-tpm/recipes-tpm/tpm2simulator/tpm2simulator-native_138.bb b/meta-security/meta-tpm/recipes-tpm/tpm2simulator/tpm2simulator-native_138.bb new file mode 100644 index 000000000..866791c29 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/tpm2simulator/tpm2simulator-native_138.bb @@ -0,0 +1,22 @@ +SUMMARY = "TPM 2.0 Simulator Extraction Script" +LICENSE = "BSD-2-Clause" +LIC_FILES_CHKSUM = "file://LICENSE;md5=1415f7be284540b81d9d28c67c1a6b8b" + +DEPENDS = "python" + +SRCREV = "e45324eba268723d39856111e7933c5c76238481" +SRC_URI = "git://github.com/stwagnr/tpm2simulator.git" + +S = "${WORKDIR}/git" +OECMAKE_SOURCEPATH = "${S}/cmake" + +inherit native lib_package cmake + +EXTRA_OECMAKE = " \ + -DCMAKE_BUILD_TYPE=Debug \ + -DSPEC_VERSION=138 \ +" + +do_configure_prepend () { + sed -i 's/^SET = False/SET = True/' ${S}/scripts/settings.py +} diff --git a/meta-security/meta-tpm/recipes-tpm/trousers/files/0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch b/meta-security/meta-tpm/recipes-tpm/trousers/files/0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch new file mode 100644 index 000000000..7b3cc77c5 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/trousers/files/0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch @@ -0,0 +1,68 @@ +From 3396fc7a184293c23135161f034802062f7f3816 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Andr=C3=A9=20Draszik?= <adraszik@tycoint.com> +Date: Wed, 1 Nov 2017 11:41:48 +0000 +Subject: [PATCH] build: don't override --localstatedir --mandir --sysconfdir +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +It is currently impossible to override localstatedir, +mandir and sysconfdir during ./configure, because they +are being overriden unconditionally because of they +way trousers is built using rpmbuild. + +If they need massaging for rpmbuild, the values should +be specified inside the spec file, not in ./configure +and thereby overriding user-requested values. + +With this patch it is now possible to set above +locations as needed. The .spec file is being modified +as well so as to restore previous behaviour. + +Signed-off-by: André Draszik <adraszik@tycoint.com> +--- +Upstream-Status: Submitted [https://sourceforge.net/p/trousers/mailman/message/36099290/] +Signed-off-by: André Draszik <adraszik@tycoint.com> + configure.ac | 11 ++--------- + dist/trousers.spec.in | 2 +- + 2 files changed, 3 insertions(+), 10 deletions(-) + +diff --git a/configure.ac b/configure.ac +index b9626af..7fe5f8e 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -376,16 +376,9 @@ CFLAGS="$CFLAGS -I../include \ + KERNEL_VERSION=`uname -r` + AC_SUBST(CFLAGS) + +-# When we build the rpms, prefix will be /usr. This'll do some things that make sense, +-# like put our sbin stuff in /usr/sbin and our library in /usr/lib. It'll do some other +-# things that don't make sense like put our config file in /usr/etc. So, I'll just hack +-# it here. If the --prefix option isn't specified during configure, let it all go to ++# If the --prefix option isn't specified during configure, let it all go to + # /usr/local, even /usr/local/etc. :-P +-if test x"${prefix}" = x"/usr"; then +- sysconfdir="/etc" +- localstatedir="/var" +- mandir="/usr/share/man" +-elif test x"${prefix}" = x"NONE"; then ++if test x"${prefix}" = x"NONE"; then + localstatedir="/usr/local/var" + fi + +diff --git a/dist/trousers.spec.in b/dist/trousers.spec.in +index b298b0e..10ef178 100644 +--- a/dist/trousers.spec.in ++++ b/dist/trousers.spec.in +@@ -45,7 +45,7 @@ applications. + + %build + %{?arch64:export PKG_CONFIG_PATH=%{pkgconfig_path}:$PKG_CONFIG_PATH} +-./configure --prefix=/usr --libdir=%{_libdir} ++./configure --prefix=/usr --libdir=%{_libdir} --sysconfdir=/etc --localstatedir=/var --mandir=/usr/share/man + make + + %clean +-- +2.15.0.rc1 + diff --git a/meta-security/meta-tpm/recipes-tpm/trousers/files/get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch b/meta-security/meta-tpm/recipes-tpm/trousers/files/get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch new file mode 100644 index 000000000..3f5a144d9 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/trousers/files/get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch @@ -0,0 +1,49 @@ +trousers: fix compiling with musl + +use POSIX getpwent instead of getpwent_r + +Upstream-Status: Submitted + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +Index: git/src/tspi/ps/tspps.c +=================================================================== +--- git.orig/src/tspi/ps/tspps.c ++++ git/src/tspi/ps/tspps.c +@@ -66,9 +66,6 @@ get_user_ps_path(char **file) + TSS_RESULT result; + char *file_name = NULL, *home_dir = NULL; + struct passwd *pwp; +-#if (defined (__linux) || defined (linux) || defined(__GLIBC__)) +- struct passwd pw; +-#endif + struct stat stat_buf; + char buf[PASSWD_BUFSIZE]; + uid_t euid; +@@ -96,24 +93,15 @@ get_user_ps_path(char **file) + #else + setpwent(); + while (1) { +-#if (defined (__linux) || defined (linux) || defined(__GLIBC__)) +- rc = getpwent_r(&pw, buf, PASSWD_BUFSIZE, &pwp); +- if (rc) { +- LogDebugFn("USER PS: Error getting path to home directory: getpwent_r: %s", +- strerror(rc)); +- endpwent(); +- return TSPERR(TSS_E_INTERNAL_ERROR); +- } +- +-#elif (defined (__FreeBSD__) || defined (__OpenBSD__)) + if ((pwp = getpwent()) == NULL) { + LogDebugFn("USER PS: Error getting path to home directory: getpwent: %s", + strerror(rc)); + endpwent(); ++#if (defined (__FreeBSD__) || defined (__OpenBSD__)) + MUTEX_UNLOCK(user_ps_path); ++#endif + return TSPERR(TSS_E_INTERNAL_ERROR); + } +-#endif + if (euid == pwp->pw_uid) { + home_dir = strdup(pwp->pw_dir); + break; diff --git a/meta-security/meta-tpm/recipes-tpm/trousers/files/tcsd.service b/meta-security/meta-tpm/recipes-tpm/trousers/files/tcsd.service new file mode 100644 index 000000000..787d4e97b --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/trousers/files/tcsd.service @@ -0,0 +1,10 @@ +[Unit] +Description=TCG Core Services Daemon +After=syslog.target + +[Service] +Type=forking +ExecStart=@SBINDIR@/tcsd + +[Install] +WantedBy=multi-user.target diff --git a/meta-security/meta-tpm/recipes-tpm/trousers/files/trousers-udev.rules b/meta-security/meta-tpm/recipes-tpm/trousers/files/trousers-udev.rules new file mode 100644 index 000000000..256babd73 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/trousers/files/trousers-udev.rules @@ -0,0 +1,2 @@ +# trousers daemon expects tpm device to be owned by tss user & group +KERNEL=="tpm[0-9]*", MODE="0600", OWNER="tss", GROUP="tss" diff --git a/meta-security/meta-tpm/recipes-tpm/trousers/files/trousers.init.sh b/meta-security/meta-tpm/recipes-tpm/trousers/files/trousers.init.sh new file mode 100644 index 000000000..d0d6cb3c4 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/trousers/files/trousers.init.sh @@ -0,0 +1,67 @@ +#!/bin/sh + +### BEGIN INIT INFO +# Provides: tcsd trousers +# Required-Start: $local_fs $remote_fs $network +# Required-Stop: $local_fs $remote_fs $network +# Should-Start: +# Should-Stop: +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: starts tcsd +# Description: tcsd belongs to the TrouSerS TCG Software Stack +### END INIT INFO + +PATH=/sbin:/bin:/usr/sbin:/usr/bin +DAEMON=/usr/sbin/tcsd +NAME=tcsd +DESC="Trusted Computing daemon" +USER="tss" + +test -x "${DAEMON}" || exit 0 + +# Read configuration variable file if it is present +[ -r /etc/default/$NAME ] && . /etc/default/$NAME + +case "${1}" in + start) + echo "Starting $DESC: " + + if [ ! -e /dev/tpm* ] + then + echo "device driver not loaded, skipping." + exit 0 + fi + + start-stop-daemon --start --quiet --oknodo \ + --pidfile /var/run/${NAME}.pid --make-pidfile --background \ + --user ${USER} --chuid ${USER} \ + --exec ${DAEMON} -- ${DAEMON_OPTS} --foreground + RETVAL="$?" + echo "$NAME." + exit $RETVAL + ;; + + stop) + echo "Stopping $DESC: " + + start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/${NAME}.pid --user ${USER} --exec ${DAEMON} + RETVAL="$?" + echo "$NAME." + rm -f /var/run/${NAME}.pid + exit $RETVAL + ;; + + restart|force-reload) + "${0}" stop + sleep 1 + "${0}" start + exit $? + ;; + *) + echo "Usage: ${NAME} {start|stop|restart|force-reload|status}" >&2 + exit 3 + ;; +esac + +exit 0 diff --git a/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb b/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb new file mode 100644 index 000000000..fe8f55714 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb @@ -0,0 +1,118 @@ +SUMMARY = "TrouSerS - An open-source TCG Software Stack implementation." +LICENSE = "BSD" +HOMEPAGE = "http://sourceforge.net/projects/trousers/" +LIC_FILES_CHKSUM = "file://README;startline=3;endline=4;md5=2af28fbed0832e4d83a9e6dd68bb4413" +SECTION = "security/tpm" + +DEPENDS = "openssl" + +SRCREV = "4b9a70d5789b0b74f43957a6c19ab2156a72d3e0" +PV = "0.3.14+git${SRCPV}" + +SRC_URI = " \ + git://git.code.sf.net/p/trousers/trousers \ + file://trousers.init.sh \ + file://trousers-udev.rules \ + file://tcsd.service \ + file://get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch \ + file://0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch \ + " + +S = "${WORKDIR}/git" + +inherit autotools pkgconfig useradd update-rc.d ${@bb.utils.contains('VIRTUAL-RUNTIME_init_manager','systemd','systemd','', d)} + +PACKAGECONFIG ?= "gmp " +PACKAGECONFIG[gmp] = "--with-gmp, --with-gmp=no, gmp" +PACKAGECONFIG[gtk] = "--with-gui=gtk, --with-gui=none, gtk+" + +do_install () { + oe_runmake DESTDIR=${D} install +} + +do_install_append() { + install -d ${D}${sysconfdir}/init.d + install -m 0755 ${WORKDIR}/trousers.init.sh ${D}${sysconfdir}/init.d/trousers + install -d ${D}${sysconfdir}/udev/rules.d + install -m 0644 ${WORKDIR}/trousers-udev.rules ${D}${sysconfdir}/udev/rules.d/45-trousers.rules + + if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then + install -d ${D}${systemd_unitdir}/system + install -m 0644 ${WORKDIR}/tcsd.service ${D}${systemd_unitdir}/system/ + sed -i -e 's#@SBINDIR@#${sbindir}#g' ${D}${systemd_unitdir}/system/tcsd.service + fi +} + +CONFFILES_${PN} += "${sysconfig}/tcsd.conf" + +PROVIDES = "${PACKAGES}" +PACKAGES = " \ + libtspi \ + libtspi-dbg \ + libtspi-dev \ + libtspi-doc \ + libtspi-staticdev \ + trousers \ + trousers-dbg \ + trousers-doc \ + " + +# libtspi needs tcsd for most (all?) operations, so suggest to +# install that. +RRECOMMENDS_libtspi = "${PN}" + +FILES_libtspi = " \ + ${libdir}/*.so.1 \ + ${libdir}/*.so.1.2.0 \ + " +FILES_libtspi-dbg = " \ + ${libdir}/.debug \ + ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/tspi \ + ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/trspi \ + ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/include/*.h \ + ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/include/tss \ + " +FILES_libtspi-dev = " \ + ${includedir} \ + ${libdir}/*.so \ + " +FILES_libtspi-doc = " \ + ${mandir}/man3 \ + " +FILES_libtspi-staticdev = " \ + ${libdir}/*.la \ + ${libdir}/*.a \ + " +FILES_${PN} = " \ + ${sbindir}/tcsd \ + ${sysconfdir} \ + ${localstatedir} \ + " + +FILES_${PN}-dev += "${libdir}/trousers" + +FILES_${PN}-dbg = " \ + ${sbindir}/.debug \ + ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/tcs \ + ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/tcsd \ + ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/tddl \ + ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/trousers \ + ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/include/trousers \ + " +FILES_${PN}-doc = " \ + ${mandir}/man5 \ + ${mandir}/man8 \ + " + +INITSCRIPT_NAME = "trousers" +INITSCRIPT_PARAMS = "start 99 2 3 4 5 . stop 19 0 1 6 ." + +USERADD_PACKAGES = "${PN}" +GROUPADD_PARAM_${PN} = "--system tss" +USERADD_PARAM_${PN} = "--system -M -d /var/lib/tpm -s /bin/false -g tss tss" + +SYSTEMD_PACKAGES = "${PN}" +SYSTEMD_SERVICE_${PN} = "tcsd.service" +SYSTEMD_AUTO_ENABLE = "disable" + +BBCLASSEXTEND = "native" |