@@ -1633,6 +1633,7 @@ menu "Crypto"
source "package/tpm2-openssl/Config.in"
source "package/tpm2-pkcs11/Config.in"
source "package/tpm2-tss/Config.in"
+ source "package/tpm2-tss-engine/Config.in"
source "package/trousers/Config.in"
source "package/ustream-ssl/Config.in"
source "package/wolfssl/Config.in"
new file mode 100644
@@ -0,0 +1,46 @@
+From af8b26e7ffe69837197fb841e9a31230ae01c9cc Mon Sep 17 00:00:00 2001
+From: Andreas Fuchs <andreas.fuchs@infineon.com>
+Date: Mon, 22 May 2023 14:06:41 +0200
+Subject: [PATCH] Configure: Allow disabling of digest-sign operations
+
+Since the digest-sign operations perform the hash on the TPM and
+TPMs in general do not support SHA512, this can lead to errors.
+Depending on the use case, it might be preferable to not support
+restricted keys (via digest+sign) but to rely on ordinary keys
+only.
+
+Upstream: https://github.com/tpm2-software/tpm2-tss-engine/commit/af8b26e7ffe69837197fb841e9a31230ae01c9cc
+Signed-off-by: Andreas Fuchs <andreas.fuchs@infineon.com>
+---
+ configure.ac | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index d4a9356..b379042 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -116,13 +116,19 @@ PKG_CHECK_MODULES([CRYPTO], [libcrypto >= 1.0.2g],
+ PKG_CHECK_MODULES([TSS2_ESYS], [tss2-esys >= 2.3])
+ PKG_CHECK_MODULES([TSS2_MU], [tss2-mu])
+ PKG_CHECK_MODULES([TSS2_TCTILDR], [tss2-tctildr])
++
+ AC_CHECK_LIB([crypto], EC_KEY_METHOD_set_compute_key,
+ [AM_CONDITIONAL([HAVE_OPENSSL_ECDH], true)],
+ [AM_CONDITIONAL([HAVE_OPENSSL_ECDH], false)])
++
++AC_ARG_ENABLE([digestsign],
++ [AS_HELP_STRING([--disable-digestsign],
++ [Disable support for digest and sign methods, helps with TPM unsupported hash algorithms.])],,
++ [enable_digestsign=yes])
+ AC_CHECK_LIB([crypto], EVP_PKEY_meth_set_digest_custom,
+- [AM_CONDITIONAL([HAVE_OPENSSL_DIGEST_SIGN], true)],
++ [AM_CONDITIONAL([HAVE_OPENSSL_DIGEST_SIGN], [test "x$enable_digestsign" != "xno"])],
+ [AM_CONDITIONAL([HAVE_OPENSSL_DIGEST_SIGN], false)])
+-AS_IF([test "x$ac_cv_lib_crypto_EVP_PKEY_meth_set_digest_custom" = xyes],
++AS_IF([test "x$ac_cv_lib_crypto_EVP_PKEY_meth_set_digest_custom" = xyes && test "x$enable_digestsign" = "xyes"],
+ [AC_DEFINE([HAVE_OPENSSL_DIGEST_SIGN], [1],
+ Have required functionality from OpenSSL to support digest and sign)])
+
+--
+2.47.0
+
new file mode 100644
@@ -0,0 +1,21 @@
+config BR2_PACKAGE_TPM2_TSS_ENGINE
+ bool "tpm2-tss-engine"
+ select BR2_PACKAGE_TPM2_TSS
+ select BR2_PACKAGE_LIBOPENSSL_ENGINES
+ help
+ The tpm2-tss-engine project implements a cryptographic engine
+ for OpenSSL for Trusted Platform Module (TPM 2.0) using the
+ tpm2-tss software stack that follows the Trusted Computing
+ Groups (TCG) TPM Software Stack (TSS 2.0). It uses the
+ Enhanced System API (ESAPI) interface of the TSS 2.0 for
+ downwards communication. It supports RSA decryption and
+ signatures as well as ECDSA signatures.
+
+if BR2_PACKAGE_TPM2_TSS_ENGINE
+
+config BR2_PACKAGE_TPM2_TSS_ENGINE_DIGEST_SIGN
+ bool "enable digest and sign support"
+ help
+ Enable digest-sign hash operations on the TPM.
+
+endif
new file mode 100644
@@ -0,0 +1,3 @@
+# Locally computed:
+sha256 3c94fef110dd3630b3c28c5875febba76b7d5ba2fcc04a14c4a30f5d2157c265 tpm2-tss-engine-1.2.0.tar.gz
+sha256 7a77915f34caf18d47bc31750dae47dbd7f7895e95bbb8370f477c25009388f6 LICENSE
new file mode 100644
@@ -0,0 +1,33 @@
+################################################################################
+#
+# tpm2-tss-engine
+#
+################################################################################
+
+TPM2_TSS_ENGINE_VERSION = 1.2.0
+TPM2_TSS_ENGINE_SITE = https://github.com/tpm2-software/tpm2-tss-engine/releases/download/$(TPM2_TSS_ENGINE_VERSION)
+TPM2_TSS_ENGINE_LICENSE = BSD-3-Clause
+TPM2_TSS_ENGINE_LICENSE_FILES = LICENSE
+TPM2_TSS_ENGINE_INSTALL_STAGING = YES
+TPM2_TSS_ENGINE_DEPENDENCIES = host-pkgconf tpm2-tss
+TPM2_TSS_ENGINE_AUTORECONF = YES
+
+# Since the OpenSSL 3.0 Engine APIs are deprecated, suppress the warnings.
+TPM2_TSS_ENGINE_CFLAGS = $(TARGET_CFLAGS) -Wno-deprecated-declarations
+TPM2_TSS_ENGINE_CONF_ENV += CFLAGS="$(TPM2_TSS_ENGINE_CFLAGS)"
+
+define TPM2_TSS_ENGINE_ENGINESDIR
+ $(PKG_CONFIG_HOST_BINARY) --variable=enginesdir libcrypto \
+ | xargs readlink -f \
+ | sed 's%^$(STAGING_DIR)%%'
+endef
+
+TPM2_TSS_ENGINE_CONF_OPTS = \
+ --disable-defaultflags \
+ --with-enginesdir=`$(TPM2_TSS_ENGINE_ENGINESDIR)`
+
+ifneq ($(BR2_PACKAGE_TPM2_TSS_ENGINE_DIGEST_SIGN),y)
+TPM2_TSS_ENGINE_CONF_OPTS += --disable-digestsign
+endif
+
+$(eval $(autotools-package))
Introduce the TPM2-TSS OpenSSL Engine to enable TPM2 device support in ecosystems that do not yet support OpenSSL Providers. This is particularly useful in the Erlang space, where OpenSSL 3 Providers are still under development [1]. [1] https://erlangforums.com/t/openssl-3-support-for-provider-deprecated-engine-replacement/2954/2 Signed-off-by: Abelino Romo <abelino.romo@gmail.com> --- Changes v2 -> v3: - Use manually uploaded tarball - the artifact from releases/download URL - and not the archive tarball. (suggested by Thomas Petazzoni in tpm2-tss patch thread) - Updated Signed-Off formatting. (suggested by Thomas Petazzoni in tpm2-tss patch thread) package/Config.in | 1 + ...-disabling-of-digest-sign-operations.patch | 46 +++++++++++++++++++ package/tpm2-tss-engine/Config.in | 21 +++++++++ package/tpm2-tss-engine/tpm2-tss-engine.hash | 3 ++ package/tpm2-tss-engine/tpm2-tss-engine.mk | 33 +++++++++++++ 5 files changed, 104 insertions(+) create mode 100644 package/tpm2-tss-engine/0001-Allow-disabling-of-digest-sign-operations.patch create mode 100644 package/tpm2-tss-engine/Config.in create mode 100644 package/tpm2-tss-engine/tpm2-tss-engine.hash create mode 100644 package/tpm2-tss-engine/tpm2-tss-engine.mk