[yocto] [meta-security][PATCH 04/17] swtpm: add new package

Khem Raj raj.khem at gmail.com
Mon Oct 17 17:17:39 PDT 2016 

> On Oct 17, 2016, at 5:02 PM, Armin Kuster <akuster808 at gmail.com> wrote:
> 
> Signed-off-by: Armin Kuster <akuster808 at gmail.com>
> ---
> recipes-tpm/swtpm/files/fix_lib_search_path.patch | 41 +++++++++++++++++++++++
> recipes-tpm/swtpm/swtpm_1.0.bb                    | 38 +++++++++++++++++++++
> 2 files changed, 79 insertions(+)
> create mode 100644 recipes-tpm/swtpm/files/fix_lib_search_path.patch
> create mode 100644 recipes-tpm/swtpm/swtpm_1.0.bb
> 
> diff --git a/recipes-tpm/swtpm/files/fix_lib_search_path.patch b/recipes-tpm/swtpm/files/fix_lib_search_path.patch
> new file mode 100644
> index 0000000..015f418
> --- /dev/null
> +++ b/recipes-tpm/swtpm/files/fix_lib_search_path.patch
> @@ -0,0 +1,41 @@
> +
> +Upstream-Status: Inappropriate [OE config]
> +
> +Signed-off-by: Armin Kuster <akuster808 at gmail.com>
> +
> +Index: configure.ac
> +===================================================================
> +--- a/configure.ac
> ++++ b/configure.ac
> +@@ -349,21 +349,17 @@ CFLAGS="$CFLAGS -Wformat -Wformat-securi
> + dnl We have to make sure libtpms is using the same crypto library
> + dnl to avoid problems
> + AC_MSG_CHECKING([the crypto library libtpms is using])
> +-dirs=$($CC $CFLAGS -Xlinker --verbose 2>/dev/null | \
> +-       sed -n '/SEARCH_DIR/p' | \
> +-       sed 's/SEARCH_DIR("=\?\(@<:@^"@:>@\+\)"); */\1\n/g')
> +-for dir in $dirs; do
> +-  if test -r $dir/libtpms.so; then
> +-    if test -n "`ldd $dir/libtpms.so | grep libcrypto.so`"; then
> +-      libtpms_cryptolib="openssl"
> +-      break
> +-    fi
> +-    if test -n "`ldd $dir/libtpms.so | grep libnss3.so`"; then
> +-      libtpms_cryptolib="freebl"
> +-      break
> +-    fi
> ++dir="$SEARCH_DIR"
> ++if test -r $dir/libtpms.so; then
> ++  if test -n "`ldd $dir/libtpms.so | grep libcrypto.so`"; then
> ++    libtpms_cryptolib="openssl"
> ++    break
> +   fi
> +-done
> ++  if test -n "`ldd $dir/libtpms.so | grep libnss3.so`"; then
> ++    libtpms_cryptolib="freebl"
> ++    break
> ++  fi
> ++fi
> +
> + if test -z "$libtpms_cryptolib"; then
> +   AC_MSG_ERROR([Could not determine libtpms crypto library.])
> diff --git a/recipes-tpm/swtpm/swtpm_1.0.bb b/recipes-tpm/swtpm/swtpm_1.0.bb
> new file mode 100644
> index 0000000..ae16e51
> --- /dev/null
> +++ b/recipes-tpm/swtpm/swtpm_1.0.bb
> @@ -0,0 +1,38 @@
> +SUMMARY = "SWTPM - Software TPM Emulator"
> +LICENSE = "BSD-3-Clause"
> +LIC_FILES_CHKSUM = "file://LICENSE;md5=fe8092c832b71ef20dfe4c6d3decb3a8"
> +SECTION = “tpm"

this should be ‘apps’ perhaps.

> +
> +DEPENDS = "libtasn1 fuse expect socat glib-2.0 libtpm-native"
> +
> +SRCREV = "2cd10cee2f74c84bda22081514b6b2cb566fa42d"
> +SRC_URI = "git://github.com/stefanberger/swtpm.git \
> +	   file://fix_lib_search_path.patch"
> +
> +S = "${WORKDIR}/git"
> +
> +inherit autotools-brokensep pkgconfig
> +PARALLEL_MAKE = ""
> +
> +TSS_USER="tss"
> +TSS_GROUP="tss"
> +
> +PACKAGECONFIG ?= "openssl"
> +PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}"
> +PACKAGECONFIG[openssl] = "--with-openssl, --without-openssl, openssl"
> +PACKAGECONFIG[gnutls] = "--with-gnutls, --without-gnutls, gnutls"
> +PACKAGECONFIG[selinux] = "--with-selinux, --without-selinux, linselinux"
> +
> +CACHED_CONFIGUREVARS = "ac_cv_path_EXPECT=${STAGING_LIBDIR} \
> +ac_cv_path_SOCAT=${STAGING_LIBDIR} “

STAGING_LIBDIR seems dubious here. Can you check if it needs it during build then it should
point to native versions.if it needs during runtime then it should be ${libdir}

> +
> +EXTRA_OECONF += "--with-tss-user=${TSS_USER} --with-tss-group=${TSS_GROUP}"
> +
> +export SEARCH_DIR = "${STAGING_LIBDIR_NATIVE}"
> +
> +USERADD_PACKAGES = "${PN}"
> +GROUPADD_PARAM_${PN} = "--system ${TSS_USER}"
> +USERADD_PARAM_${PN} = "--system -g ${TSS_GROUP} --home-dir  \
> +    --no-create-home  --shell /bin/false ${BPN}"
> +
> +RDEPENDS_${PN} = "libtpm expect socat bash”

This probably should be +=

> --
> 2.7.4
> 
> --
> _______________________________________________
> yocto mailing list
> yocto at yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 204 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.yoctoproject.org/pipermail/yocto/attachments/20161017/1c671acf/attachment.pgp>

More information about the yocto mailing list