ghostfox/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
nixpkgs/pkgs/by-name/tp/tpm2-pkcs11/package.nix
Dark Steveneq 646b892680
Some checks failed
Periodic Merges (6h) / master → staging-nixos (push) Failing after 12m50s
Details
Periodic Merges (6h) / master → staging-next (push) Failing after 12m54s
Details
Periodic Merges (24h) / merge-base(master,staging) → haskell-updates (push) Failing after 11m54s
Details
Periodic Merges (6h) / staging-next → staging (push) Failing after 12m13s
Details
Periodic Merges (24h) / staging-next-25.05 → staging-25.05 (push) Failing after 13m24s
Details
Periodic Merges (24h) / release-25.05 → staging-next-25.05 (push) Failing after 14m28s
Details
push sheeet
2025-10-09 14:15:47 +02:00

258 lines
5.4 KiB
Nix
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
autoconf-archive,
autoreconfHook,
buildEnv,
clangStdenv,
cmocka,
dbus,
expect,
fetchFromGitHub,
glibc,
gnutls,
iproute2,
lib,
libyaml,
makeWrapper,
opensc,
openssh,
openssl,
nss,
p11-kit,
patchelf,
pkg-config,
python3,
stdenv,
sqlite,
swtpm,
tpm2-abrmd,
tpm2-openssl,
tpm2-pkcs11, # for passthru tests
tpm2-pkcs11-esapi,
tpm2-pkcs11-fapi,
tpm2-tools,
tpm2-tss,
which,
xxd,
abrmdSupport ? false,
fapiSupport ? true,
defaultToFapi ? false,
enableFuzzing ? false,
extraDescription ? null,
}:
let
chosenStdenv = if enableFuzzing then clangStdenv else stdenv;
in
chosenStdenv.mkDerivation (finalAttrs: {
pname = "tpm2-pkcs11";
version = "1.9.1";
src = fetchFromGitHub {
owner = "tpm2-software";
repo = "tpm2-pkcs11";
tag = finalAttrs.version;
hash = "sha256-W74ckrpK7ypny1L3Gn7nNbOVh8zbHavIk/TX3b8XbI8=";
};
# Disable Javabased tests because of missing dependencies
patches =
lib.singleton ./disable-java-integration.patch
++ lib.optional defaultToFapi ./default-to-fapi.patch;
postPatch = ''
echo ${lib.escapeShellArg finalAttrs.version} >VERSION
# Don't run git in the bootstrap
substituteInPlace bootstrap --replace-warn "git" "# git"
# Provide configuration file for D-Bus
substituteInPlace Makefile.am --replace-fail \
"dbus-run-session" \
"dbus-run-session --config-file=${dbus}/share/dbus-1/session.conf"
# Disable failing tests
sed -E -i '/\<test\/integration\/(pkcs-crypt\.int|pkcs11-tool\.sh)\>/d' \
Makefile-integration.am
patchShebangs test tools
# The preConfigure phase doesn't seem to be working here
# ./bootstrap MUST be executed as the first step, before all
# of the autoreconfHook stuff
./bootstrap
'';
configureFlags = [
(lib.enableFeature finalAttrs.doCheck "unit")
(lib.enableFeature finalAttrs.doCheck "integration")
# Strangely, it uses --with-fapi=yes|no instead of a normal configure flag.
"--with-fapi=${if fapiSupport then "yes" else "no"}"
]
++ lib.optionals enableFuzzing [
"--enable-fuzzing"
"--disable-hardening"
];
strictDeps = true;
nativeBuildInputs = [
autoconf-archive
autoreconfHook
makeWrapper
patchelf
pkg-config
(python3.withPackages (
ps:
with ps;
[
packaging
pyyaml
python-pkcs11
cryptography
pyasn1-modules
tpm2-pytss
]
++ cryptography.optional-dependencies.ssh
))
];
buildInputs = [
libyaml
opensc
openssl
sqlite
tpm2-tools
tpm2-tss
];
nativeCheckInputs = [
dbus
expect
gnutls
iproute2
nss.tools
opensc
openssh
openssl
p11-kit
sqlite
swtpm
tpm2-abrmd
tpm2-tools
which
xxd
];
checkInputs = [
cmocka
tpm2-abrmd
];
enableParallelBuilding = true;
hardeningDisable = lib.optional enableFuzzing "all";
outputs = [
"out"
"bin"
"dev"
];
doCheck = true;
dontStrip = true;
dontPatchELF = true;
preCheck =
let
openssl-modules = buildEnv {
name = "openssl-modules";
pathsToLink = [ "/lib/ossl-modules" ];
paths = map lib.getLib [
openssl
tpm2-openssl
];
};
in
''
# Enable tests to load TCTI modules
export LD_LIBRARY_PATH+=":${
lib.makeLibraryPath [
swtpm
tpm2-tools
tpm2-abrmd
]
}"
# Enable tests to load TPM2 OpenSSL module
export OPENSSL_MODULES="${openssl-modules}/lib/ossl-modules"
''
+ lib.optionalString defaultToFapi ''
# Need to change the default since the tests expect the other way.
export TPM2_PKCS11_BACKEND=esysdb
'';
postInstall = ''
mkdir -p $bin/bin/ $bin/share/tpm2_pkcs11/
mv ./tools/* $bin/share/tpm2_pkcs11/
makeWrapper $bin/share/tpm2_pkcs11/tpm2_ptool.py $bin/bin/tpm2_ptool \
--prefix PATH : ${lib.makeBinPath [ tpm2-tools ]}
'';
# To be able to use the userspace resource manager, the RUNPATH must
# explicitly include the tpm2-abrmd shared libraries.
preFixup =
let
rpath = lib.makeLibraryPath (
[
glibc
libyaml
openssl
sqlite
tpm2-tss
]
++ (lib.optional abrmdSupport tpm2-abrmd)
);
in
''
patchelf \
--set-rpath ${rpath} \
${lib.optionalString abrmdSupport "--add-needed ${lib.makeLibraryPath [ tpm2-abrmd ]}/libtss2-tcti-tabrmd.so"} \
--add-needed ${lib.makeLibraryPath [ tpm2-tss ]}/libtss2-tcti-device.so \
$out/lib/libtpm2_pkcs11.so.0.0.0
'';
passthru = rec {
esapi = tpm2-pkcs11-esapi;
fapi = tpm2-pkcs11-fapi;
abrmd = tpm2-pkcs11.override {
abrmdSupport = true;
};
esapi-abrmd = tpm2-pkcs11-esapi.override {
abrmdSupport = true;
};
fapi-abrmd = tpm2-pkcs11-fapi.override {
abrmdSupport = true;
};
tests = {
inherit
esapi
fapi
abrmd
esapi-abrmd
fapi-abrmd
;
};
};
meta = {
description =
"PKCS#11 interface for TPM2 hardware"
+ lib.optionalString (extraDescription != null) " ${extraDescription}";
homepage = "https://github.com/tpm2-software/tpm2-pkcs11";
license = lib.licenses.bsd2;
platforms = lib.platforms.linux;
maintainers = with lib.maintainers; [ numinit ];
mainProgram = "tpm2_ptool";
};
})
Reference in New Issue View Git Blame Copy Permalink