[yocto] [meta-security][PATCH 04/17] swtpm: add new package

akuster808 akuster808 at gmail.com
Mon Oct 17 20:57:55 PDT 2016 


On 10/17/2016 05:17 PM, Khem Raj wrote:
>> On Oct 17, 2016, at 5:02 PM, Armin Kuster <akuster808 at gmail.com> wrote:
>>
>> Signed-off-by: Armin Kuster <akuster808 at gmail.com>
>> ---
>> recipes-tpm/swtpm/files/fix_lib_search_path.patch | 41 +++++++++++++++++++++++
>> recipes-tpm/swtpm/swtpm_1.0.bb                    | 38 +++++++++++++++++++++
>> 2 files changed, 79 insertions(+)
>> create mode 100644 recipes-tpm/swtpm/files/fix_lib_search_path.patch
>> create mode 100644 recipes-tpm/swtpm/swtpm_1.0.bb
>>
>> diff --git a/recipes-tpm/swtpm/files/fix_lib_search_path.patch b/recipes-tpm/swtpm/files/fix_lib_search_path.patch
>> new file mode 100644
>> index 0000000..015f418
>> --- /dev/null
>> +++ b/recipes-tpm/swtpm/files/fix_lib_search_path.patch
>> @@ -0,0 +1,41 @@
>> +
>> +Upstream-Status: Inappropriate [OE config]
>> +
>> +Signed-off-by: Armin Kuster <akuster808 at gmail.com>
>> +
>> +Index: configure.ac
>> +===================================================================
>> +--- a/configure.ac
>> ++++ b/configure.ac
>> +@@ -349,21 +349,17 @@ CFLAGS="$CFLAGS -Wformat -Wformat-securi
>> + dnl We have to make sure libtpms is using the same crypto library
>> + dnl to avoid problems
>> + AC_MSG_CHECKING([the crypto library libtpms is using])
>> +-dirs=$($CC $CFLAGS -Xlinker --verbose 2>/dev/null | \
>> +-       sed -n '/SEARCH_DIR/p' | \
>> +-       sed 's/SEARCH_DIR("=\?\(@<:@^"@:>@\+\)"); */\1\n/g')
>> +-for dir in $dirs; do
>> +-  if test -r $dir/libtpms.so; then
>> +-    if test -n "`ldd $dir/libtpms.so | grep libcrypto.so`"; then
>> +-      libtpms_cryptolib="openssl"
>> +-      break
>> +-    fi
>> +-    if test -n "`ldd $dir/libtpms.so | grep libnss3.so`"; then
>> +-      libtpms_cryptolib="freebl"
>> +-      break
>> +-    fi
>> ++dir="$SEARCH_DIR"
>> ++if test -r $dir/libtpms.so; then
>> ++  if test -n "`ldd $dir/libtpms.so | grep libcrypto.so`"; then
>> ++    libtpms_cryptolib="openssl"
>> ++    break
>> +   fi
>> +-done
>> ++  if test -n "`ldd $dir/libtpms.so | grep libnss3.so`"; then
>> ++    libtpms_cryptolib="freebl"
>> ++    break
>> ++  fi
>> ++fi
>> +
>> + if test -z "$libtpms_cryptolib"; then
>> +   AC_MSG_ERROR([Could not determine libtpms crypto library.])
>> diff --git a/recipes-tpm/swtpm/swtpm_1.0.bb b/recipes-tpm/swtpm/swtpm_1.0.bb
>> new file mode 100644
>> index 0000000..ae16e51
>> --- /dev/null
>> +++ b/recipes-tpm/swtpm/swtpm_1.0.bb
>> @@ -0,0 +1,38 @@
>> +SUMMARY = "SWTPM - Software TPM Emulator"
>> +LICENSE = "BSD-3-Clause"
>> +LIC_FILES_CHKSUM = "file://LICENSE;md5=fe8092c832b71ef20dfe4c6d3decb3a8"
>> +SECTION = “tpm"
> this should be ‘apps’ perhaps.
>
>> +
>> +DEPENDS = "libtasn1 fuse expect socat glib-2.0 libtpm-native"
>> +
>> +SRCREV = "2cd10cee2f74c84bda22081514b6b2cb566fa42d"
>> +SRC_URI = "git://github.com/stefanberger/swtpm.git \
>> +	   file://fix_lib_search_path.patch"
>> +
>> +S = "${WORKDIR}/git"
>> +
>> +inherit autotools-brokensep pkgconfig
>> +PARALLEL_MAKE = ""
>> +
>> +TSS_USER="tss"
>> +TSS_GROUP="tss"
>> +
>> +PACKAGECONFIG ?= "openssl"
>> +PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}"
>> +PACKAGECONFIG[openssl] = "--with-openssl, --without-openssl, openssl"
>> +PACKAGECONFIG[gnutls] = "--with-gnutls, --without-gnutls, gnutls"
>> +PACKAGECONFIG[selinux] = "--with-selinux, --without-selinux, linselinux"
>> +
>> +CACHED_CONFIGUREVARS = "ac_cv_path_EXPECT=${STAGING_LIBDIR} \
>> +ac_cv_path_SOCAT=${STAGING_LIBDIR} “
> STAGING_LIBDIR seems dubious here. Can you check if it needs it during build then it should
> point to native versions.if it needs during runtime then it should be ${libdir}
K. Found a cleaner solution.

thanks for the feedback.
-Armin
>
>> +
>> +EXTRA_OECONF += "--with-tss-user=${TSS_USER} --with-tss-group=${TSS_GROUP}"
>> +
>> +export SEARCH_DIR = "${STAGING_LIBDIR_NATIVE}"
>> +
>> +USERADD_PACKAGES = "${PN}"
>> +GROUPADD_PARAM_${PN} = "--system ${TSS_USER}"
>> +USERADD_PARAM_${PN} = "--system -g ${TSS_GROUP} --home-dir  \
>> +    --no-create-home  --shell /bin/false ${BPN}"
>> +
>> +RDEPENDS_${PN} = "libtpm expect socat bash”
> This probably should be +=
>
>> --
>> 2.7.4
>>
>> --
>> _______________________________________________
>> yocto mailing list
>> yocto at yoctoproject.org
>> https://lists.yoctoproject.org/listinfo/yocto

More information about the yocto mailing list