tpm2-pkcs11: init at 1.0.1 #72374
tpm2-pkcs11: init at 1.0.1 #72374
Conversation
ofborg
bot
added
8.has: package (new)
|
why not a stable version like 4.0.1? |
|
I'm afraid there's no released version yet, according to the releases page at least. However, I found this to be quite stable and working pretty well. I deem it useful for the Nix community and would therefore like to include it in nixpkgs. If there are any significant new features / critical bug fixes or an initial release, I'd of course file PRs for an update. Alternatively, we can wait for a release which should come in the next weeks. I'd suggest to keep the PR open though to keep it only todo list ;). |
|
according to tags 4.0.1 was realesed 3 days ago |
|
I'm quite certain you're looking at |
|
ah indeed, then change the version to unstable-2019-09-04 and keep the rev and version separate |
lschuermann
force-pushed
the
tpm2-pkcs11
branch
from
4623559 to
f129f5d
Compare
|
@0x4A6F I can do that, but recently noticed a few issues of the |
lschuermann
force-pushed
the
tpm2-pkcs11
branch
from
f129f5d to
3af86ce
Compare
or will it? After some delays, Apart from a few issues with my packaging, I've tested this pretty thoroughly and it appears to work just fine. I even pushed my last commit using the TPM. 🎉 ping @Lassulus |
| in '' | ||
| patchelf \ | ||
| --set-rpath ${rpath} \ | ||
| ${lib.optionalString abrmdSupport "--add-needed ${lib.makeLibraryPath [tpm2-abrmd]}/libtss2-tcti-tabrmd.so"} \ |
There was a problem hiding this comment.
Somehow, just setting the RPATH (or rather RUNPATH) to include the required TCTI shared libraries for TPM communication does not appear to work when the modified file is itself loaded as a shared library. I am quite sure this once used to work for me.
However, adding the TCTIs as a NEEDED library appears to work. I have still included those in the shared object's RUNPATH. Is this the correct way to do this?
pkgs/misc/tpm2-pkcs11/default.nix
Outdated
| ]; | ||
|
|
||
| outputs = [ "out" "tools" ]; | ||
| outputBin = "tools"; |
There was a problem hiding this comment.
The output for binaries should be bin. And since with #72029 (comment) the library will be installed, you should also add a dev output to be able to install the library without the other bits.
There was a problem hiding this comment.
Maybe even add a lib output too, to explicitly have libraries in there
There was a problem hiding this comment.
Currently, only the library is installed in the out output, no other bits. The only output containing any executables is in tools. I can change this to bin for sure. Is a dev output required then?
The library now has two outputs, "out" containing only the library, and "bin" containing only the tools. It works out of the box in nix-shell, as a build input and using the getLib.
There was a problem hiding this comment.
out currently includes
result
├── lib
│ ├── pkgconfig
│ │ └── tpm2-pkcs11.pc
│ ├── libtpm2_pkcs11.la
│ ├── libtpm2_pkcs11.so -> libtpm2_pkcs11.so.0.0.0
│ ├── libtpm2_pkcs11.so.0 -> libtpm2_pkcs11.so.0.0.0
│ └── libtpm2_pkcs11.so.0.0.0
└── nix-support
└── propagated-build-inputs
The pkgconfig and nix-support bits are development parts. I suggest doing this to split those:
(python37.withPackages (ps: [ ps.pyyaml ps.cryptography ps.pyasn1-modules ]))
];
- outputs = [ "out" "bin" ];
- outputBin = "bin";
+ outputs = [ "out" "bin" "dev" ];
dontStrip = true;
dontPatchELF = true;(and no need to assign outputBin because the default is bin already)
There was a problem hiding this comment.
Okay, I've integrated the requested changes. Now there are three outputs:
-
nix/store/452rf48l51c6rcybc217pclcyav9jdlx-tpm2-pkcs11-1.0.1 └── lib ├── libtpm2_pkcs11.la ├── libtpm2_pkcs11.so -> libtpm2_pkcs11.so.0.0.0 ├── libtpm2_pkcs11.so.0 -> libtpm2_pkcs11.so.0.0.0 └── libtpm2_pkcs11.so.0.0.0 -
/nix/store/57ic3dsidp6lm4g1wn5h1d76xl0dlwqn-tpm2-pkcs11-1.0.1-dev ├── lib │ └── pkgconfig │ └── tpm2-pkcs11.pc └── nix-support └── propagated-build-inputs -
/nix/store/16xlkaw49ayl10zi6wsbkja44qf3mbbf-tpm2-pkcs11-1.0.1-bin ├── bin │ └── tpm2_ptool └── share └── tpm2_pkcs11 ├── tpm2_pkcs11 │ ├── tpm2_ptool.py │ └── [...] ├── tpm2_ptool.py └── [...]
Good to know that this is the right(TM) way to do it.
lschuermann
force-pushed
the
tpm2-pkcs11
branch
from
3af86ce to
011abbf
Compare
|
@GrahamcOfBorg build tpm2-pkcs11 |
lschuermann
force-pushed
the
tpm2-pkcs11
branch
from
011abbf to
e2ad8ef
Compare
|
@GrahamcOfBorg build tpm2-pkcs11 |
tpm2-pkcs11: init at 1.0.1
This PR adds the TPM2 PKCS11 module as a Nix package.
It has a default target, which is the PKCS11 shared library (with the
rpathcorrectly set to include all other required shared libraries). In addition to that, thebintarget (selected by default for instance withnix-shell -p) makes thetpm2_ptoolPython application for management available. Together with #72029 and this setup guide, usage is pretty straightforward.Motivation for this change
I'd like to use my TPM2 chip as a generic Smartcard. This, for instance, enables storing SSH keys on a hardware device, which can improve security drastically.
Things done
sandboxinnix.confon non-NixOS linux)nix-shell -p nix-review --run "nix-review wip"./result/bin/)nix path-info -Sbefore and after)@Lassulus