diff mbox series

[v3,2/2] package/tpm2-tss-engine: add version 1.2.0

Message ID 20241129221324.360497-1-abelino.romo@gmail.com
State New
Headers show
Series [v3,1/2] package/tpm2-tss: bump version to 4.1.3 | expand

Commit Message

Abelino Romo Nov. 29, 2024, 10:13 p.m. UTC
Introduce the TPM2-TSS OpenSSL Engine to enable TPM2 device support in
ecosystems that do not yet support OpenSSL Providers. This is
particularly useful in the Erlang space, where OpenSSL 3 Providers are
still under development [1].

[1] https://erlangforums.com/t/openssl-3-support-for-provider-deprecated-engine-replacement/2954/2

Signed-off-by: Abelino Romo <abelino.romo@gmail.com>
---
Changes v2 -> v3:
  - Use manually uploaded tarball - the artifact from releases/download URL -
	  and not the archive tarball.
	  (suggested by Thomas Petazzoni in tpm2-tss patch thread)

	- Updated Signed-Off formatting.
	  (suggested by Thomas Petazzoni in tpm2-tss patch thread)

 package/Config.in                             |  1 +
 ...-disabling-of-digest-sign-operations.patch | 46 +++++++++++++++++++
 package/tpm2-tss-engine/Config.in             | 21 +++++++++
 package/tpm2-tss-engine/tpm2-tss-engine.hash  |  3 ++
 package/tpm2-tss-engine/tpm2-tss-engine.mk    | 33 +++++++++++++
 5 files changed, 104 insertions(+)
 create mode 100644 package/tpm2-tss-engine/0001-Allow-disabling-of-digest-sign-operations.patch
 create mode 100644 package/tpm2-tss-engine/Config.in
 create mode 100644 package/tpm2-tss-engine/tpm2-tss-engine.hash
 create mode 100644 package/tpm2-tss-engine/tpm2-tss-engine.mk
diff mbox series

Patch

diff --git a/package/Config.in b/package/Config.in
index 1eb5e1e020..4f4b7a34d5 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -1633,6 +1633,7 @@  menu "Crypto"
 	source "package/tpm2-openssl/Config.in"
 	source "package/tpm2-pkcs11/Config.in"
 	source "package/tpm2-tss/Config.in"
+	source "package/tpm2-tss-engine/Config.in"
 	source "package/trousers/Config.in"
 	source "package/ustream-ssl/Config.in"
 	source "package/wolfssl/Config.in"
diff --git a/package/tpm2-tss-engine/0001-Allow-disabling-of-digest-sign-operations.patch b/package/tpm2-tss-engine/0001-Allow-disabling-of-digest-sign-operations.patch
new file mode 100644
index 0000000000..7ce717df4a
--- /dev/null
+++ b/package/tpm2-tss-engine/0001-Allow-disabling-of-digest-sign-operations.patch
@@ -0,0 +1,46 @@ 
+From af8b26e7ffe69837197fb841e9a31230ae01c9cc Mon Sep 17 00:00:00 2001
+From: Andreas Fuchs <andreas.fuchs@infineon.com>
+Date: Mon, 22 May 2023 14:06:41 +0200
+Subject: [PATCH] Configure: Allow disabling of digest-sign operations
+
+Since the digest-sign operations perform the hash on the TPM and
+TPMs in general do not support SHA512, this can lead to errors.
+Depending on the use case, it might be preferable to not support
+restricted keys (via digest+sign) but to rely on ordinary keys
+only.
+
+Upstream: https://github.com/tpm2-software/tpm2-tss-engine/commit/af8b26e7ffe69837197fb841e9a31230ae01c9cc
+Signed-off-by: Andreas Fuchs <andreas.fuchs@infineon.com>
+---
+ configure.ac | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index d4a9356..b379042 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -116,13 +116,19 @@ PKG_CHECK_MODULES([CRYPTO], [libcrypto >= 1.0.2g],
+ PKG_CHECK_MODULES([TSS2_ESYS], [tss2-esys >= 2.3])
+ PKG_CHECK_MODULES([TSS2_MU], [tss2-mu])
+ PKG_CHECK_MODULES([TSS2_TCTILDR], [tss2-tctildr])
++
+ AC_CHECK_LIB([crypto], EC_KEY_METHOD_set_compute_key,
+       [AM_CONDITIONAL([HAVE_OPENSSL_ECDH], true)],
+       [AM_CONDITIONAL([HAVE_OPENSSL_ECDH], false)])
++
++AC_ARG_ENABLE([digestsign],
++              [AS_HELP_STRING([--disable-digestsign],
++                              [Disable support for digest and sign methods, helps with TPM unsupported hash algorithms.])],,
++              [enable_digestsign=yes])
+ AC_CHECK_LIB([crypto], EVP_PKEY_meth_set_digest_custom,
+-      [AM_CONDITIONAL([HAVE_OPENSSL_DIGEST_SIGN], true)],
++      [AM_CONDITIONAL([HAVE_OPENSSL_DIGEST_SIGN], [test "x$enable_digestsign" != "xno"])],
+       [AM_CONDITIONAL([HAVE_OPENSSL_DIGEST_SIGN], false)])
+-AS_IF([test "x$ac_cv_lib_crypto_EVP_PKEY_meth_set_digest_custom" = xyes],
++AS_IF([test "x$ac_cv_lib_crypto_EVP_PKEY_meth_set_digest_custom" = xyes && test "x$enable_digestsign" = "xyes"],
+       [AC_DEFINE([HAVE_OPENSSL_DIGEST_SIGN], [1],
+                  Have required functionality from OpenSSL to support digest and sign)])
+ 
+-- 
+2.47.0
+
diff --git a/package/tpm2-tss-engine/Config.in b/package/tpm2-tss-engine/Config.in
new file mode 100644
index 0000000000..00f8ac7632
--- /dev/null
+++ b/package/tpm2-tss-engine/Config.in
@@ -0,0 +1,21 @@ 
+config BR2_PACKAGE_TPM2_TSS_ENGINE
+	bool "tpm2-tss-engine"
+	select BR2_PACKAGE_TPM2_TSS
+	select BR2_PACKAGE_LIBOPENSSL_ENGINES
+	help
+	  The tpm2-tss-engine project implements a cryptographic engine
+	  for OpenSSL for Trusted Platform Module (TPM 2.0) using the
+	  tpm2-tss software stack that follows the Trusted Computing
+	  Groups (TCG) TPM Software Stack (TSS 2.0). It uses the
+	  Enhanced System API (ESAPI) interface of the TSS 2.0 for
+	  downwards communication. It supports RSA decryption and
+	  signatures as well as ECDSA signatures.
+
+if BR2_PACKAGE_TPM2_TSS_ENGINE
+
+config BR2_PACKAGE_TPM2_TSS_ENGINE_DIGEST_SIGN
+	bool "enable digest and sign support"
+	help
+	  Enable digest-sign hash operations on the TPM.
+
+endif
diff --git a/package/tpm2-tss-engine/tpm2-tss-engine.hash b/package/tpm2-tss-engine/tpm2-tss-engine.hash
new file mode 100644
index 0000000000..294847d5f8
--- /dev/null
+++ b/package/tpm2-tss-engine/tpm2-tss-engine.hash
@@ -0,0 +1,3 @@ 
+# Locally computed:
+sha256  3c94fef110dd3630b3c28c5875febba76b7d5ba2fcc04a14c4a30f5d2157c265  tpm2-tss-engine-1.2.0.tar.gz
+sha256  7a77915f34caf18d47bc31750dae47dbd7f7895e95bbb8370f477c25009388f6  LICENSE
diff --git a/package/tpm2-tss-engine/tpm2-tss-engine.mk b/package/tpm2-tss-engine/tpm2-tss-engine.mk
new file mode 100644
index 0000000000..66c5584505
--- /dev/null
+++ b/package/tpm2-tss-engine/tpm2-tss-engine.mk
@@ -0,0 +1,33 @@ 
+################################################################################
+#
+# tpm2-tss-engine
+#
+################################################################################
+
+TPM2_TSS_ENGINE_VERSION = 1.2.0
+TPM2_TSS_ENGINE_SITE = https://github.com/tpm2-software/tpm2-tss-engine/releases/download/$(TPM2_TSS_ENGINE_VERSION)
+TPM2_TSS_ENGINE_LICENSE = BSD-3-Clause
+TPM2_TSS_ENGINE_LICENSE_FILES = LICENSE
+TPM2_TSS_ENGINE_INSTALL_STAGING = YES
+TPM2_TSS_ENGINE_DEPENDENCIES = host-pkgconf tpm2-tss
+TPM2_TSS_ENGINE_AUTORECONF = YES
+
+# Since the OpenSSL 3.0 Engine APIs are deprecated, suppress the warnings.
+TPM2_TSS_ENGINE_CFLAGS = $(TARGET_CFLAGS) -Wno-deprecated-declarations
+TPM2_TSS_ENGINE_CONF_ENV += CFLAGS="$(TPM2_TSS_ENGINE_CFLAGS)"
+
+define TPM2_TSS_ENGINE_ENGINESDIR
+	$(PKG_CONFIG_HOST_BINARY) --variable=enginesdir libcrypto \
+		| xargs readlink -f \
+		| sed 's%^$(STAGING_DIR)%%'
+endef
+
+TPM2_TSS_ENGINE_CONF_OPTS = \
+	--disable-defaultflags \
+	--with-enginesdir=`$(TPM2_TSS_ENGINE_ENGINESDIR)`
+
+ifneq ($(BR2_PACKAGE_TPM2_TSS_ENGINE_DIGEST_SIGN),y)
+TPM2_TSS_ENGINE_CONF_OPTS += --disable-digestsign
+endif
+
+$(eval $(autotools-package))