| Message ID | 20241125000233.2772592-3-abelino.romo@gmail.com |
|---|---|
| State | Superseded |
| Headers | show |
| Series | Add support for tpm2-tss v4.1.3 and tpm2-tss-engine v1.2.0 | expand |
Hi, thanks for this contribution. See below some comments, On Sun, Nov 24, 2024 at 04:02:18PM UTC, abelino wrote: > Introduce the TPM2-TSS OpenSSL Engine to enable TPM2 device support in > ecosystems that do not yet support OpenSSL Providers. This is > particularly useful in the Erlang space, where OpenSSL 3 Providers are > still under development [1]. Does it imply that we should having sur warning ? src/tpm2-tss-engine-rand.c: In function ‘init_rand’: src/tpm2-tss-engine-rand.c:150:5: warning: ‘ENGINE_set_RAND’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 150 | return ENGINE_set_RAND(e, &rand_methods); | ^~~~~~ > > [1] https://erlangforums.com/t/openssl-3-support-for-provider-deprecated-engine-replacement/2954/2 > > Signed-off-by: abelino <abelino.romo@gmail.com> > --- > package/Config.in | 1 + > ...-disabling-of-digest-sign-operations.patch | 46 +++++++++++++++++++ > package/tpm2-tss-engine/Config.in | 12 +++++ > package/tpm2-tss-engine/tpm2-tss-engine.hash | 3 ++ > package/tpm2-tss-engine/tpm2-tss-engine.mk | 19 ++++++++ > 5 files changed, 81 insertions(+) > create mode 100644 package/tpm2-tss-engine/0001-Allow-disabling-of-digest-sign-operations.patch > create mode 100644 package/tpm2-tss-engine/Config.in > create mode 100644 package/tpm2-tss-engine/tpm2-tss-engine.hash > create mode 100644 package/tpm2-tss-engine/tpm2-tss-engine.mk > > diff --git a/package/Config.in b/package/Config.in > index 1eb5e1e020..4f4b7a34d5 100644 > --- a/package/Config.in > +++ b/package/Config.in > @@ -1633,6 +1633,7 @@ menu "Crypto" > source "package/tpm2-openssl/Config.in" > source "package/tpm2-pkcs11/Config.in" > source "package/tpm2-tss/Config.in" > + source "package/tpm2-tss-engine/Config.in" > source "package/trousers/Config.in" > source "package/ustream-ssl/Config.in" > source "package/wolfssl/Config.in" > diff --git a/package/tpm2-tss-engine/0001-Allow-disabling-of-digest-sign-operations.patch b/package/tpm2-tss-engine/0001-Allow-disabling-of-digest-sign-operations.patch > new file mode 100644 > index 0000000000..7ce717df4a > --- /dev/null > +++ b/package/tpm2-tss-engine/0001-Allow-disabling-of-digest-sign-operations.patch > @@ -0,0 +1,46 @@ > +From af8b26e7ffe69837197fb841e9a31230ae01c9cc Mon Sep 17 00:00:00 2001 > +From: Andreas Fuchs <andreas.fuchs@infineon.com> > +Date: Mon, 22 May 2023 14:06:41 +0200 > +Subject: [PATCH] Configure: Allow disabling of digest-sign operations > + > +Since the digest-sign operations perform the hash on the TPM and > +TPMs in general do not support SHA512, this can lead to errors. > +Depending on the use case, it might be preferable to not support > +restricted keys (via digest+sign) but to rely on ordinary keys > +only. > + > +Upstream: https://github.com/tpm2-software/tpm2-tss-engine/commit/af8b26e7ffe69837197fb841e9a31230ae01c9cc > +Signed-off-by: Andreas Fuchs <andreas.fuchs@infineon.com> When will a tpm2-tss-engine release update be available to avoid this patch ? Did you suggest/ask for a new release to the tpm2-tss-engine community using a github issue ? > +--- > + configure.ac | 10 ++++++++-- > + 1 file changed, 8 insertions(+), 2 deletions(-) > + > +diff --git a/configure.ac b/configure.ac > +index d4a9356..b379042 100644 > +--- a/configure.ac > ++++ b/configure.ac > +@@ -116,13 +116,19 @@ PKG_CHECK_MODULES([CRYPTO], [libcrypto >= 1.0.2g], > + PKG_CHECK_MODULES([TSS2_ESYS], [tss2-esys >= 2.3]) > + PKG_CHECK_MODULES([TSS2_MU], [tss2-mu]) > + PKG_CHECK_MODULES([TSS2_TCTILDR], [tss2-tctildr]) > ++ > + AC_CHECK_LIB([crypto], EC_KEY_METHOD_set_compute_key, > + [AM_CONDITIONAL([HAVE_OPENSSL_ECDH], true)], > + [AM_CONDITIONAL([HAVE_OPENSSL_ECDH], false)]) > ++ > ++AC_ARG_ENABLE([digestsign], > ++ [AS_HELP_STRING([--disable-digestsign], > ++ [Disable support for digest and sign methods, helps with TPM unsupported hash algorithms.])],, > ++ [enable_digestsign=yes]) > + AC_CHECK_LIB([crypto], EVP_PKEY_meth_set_digest_custom, > +- [AM_CONDITIONAL([HAVE_OPENSSL_DIGEST_SIGN], true)], > ++ [AM_CONDITIONAL([HAVE_OPENSSL_DIGEST_SIGN], [test "x$enable_digestsign" != "xno"])], > + [AM_CONDITIONAL([HAVE_OPENSSL_DIGEST_SIGN], false)]) > +-AS_IF([test "x$ac_cv_lib_crypto_EVP_PKEY_meth_set_digest_custom" = xyes], > ++AS_IF([test "x$ac_cv_lib_crypto_EVP_PKEY_meth_set_digest_custom" = xyes && test "x$enable_digestsign" = "xyes"], > + [AC_DEFINE([HAVE_OPENSSL_DIGEST_SIGN], [1], > + Have required functionality from OpenSSL to support digest and sign)]) > + > +-- > +2.47.0 > + > diff --git a/package/tpm2-tss-engine/Config.in b/package/tpm2-tss-engine/Config.in > new file mode 100644 > index 0000000000..27d925a60f > --- /dev/null > +++ b/package/tpm2-tss-engine/Config.in > @@ -0,0 +1,12 @@ > +config BR2_PACKAGE_TPM2_TSS_ENGINE > + bool "tpm2-tss-engine" > + select BR2_PACKAGE_TPM2_TSS > + select BR2_PACKAGE_LIBOPENSSL_ENGINES > + help > + The tpm2-tss-engine project implements a cryptographic engine > + for OpenSSL for Trusted Platform Module (TPM 2.0) using the > + tpm2-tss software stack that follows the Trusted Computing > + Groups (TCG) TPM Software Stack (TSS 2.0). It uses the > + Enhanced System API (ESAPI) interface of the TSS 2.0 for > + downwards communication. It supports RSA decryption and > + signatures as well as ECDSA signatures. > diff --git a/package/tpm2-tss-engine/tpm2-tss-engine.hash b/package/tpm2-tss-engine/tpm2-tss-engine.hash > new file mode 100644 > index 0000000000..294847d5f8 > --- /dev/null > +++ b/package/tpm2-tss-engine/tpm2-tss-engine.hash > @@ -0,0 +1,3 @@ > +# Locally computed: > +sha256 3c94fef110dd3630b3c28c5875febba76b7d5ba2fcc04a14c4a30f5d2157c265 tpm2-tss-engine-1.2.0.tar.gz > +sha256 7a77915f34caf18d47bc31750dae47dbd7f7895e95bbb8370f477c25009388f6 LICENSE > diff --git a/package/tpm2-tss-engine/tpm2-tss-engine.mk b/package/tpm2-tss-engine/tpm2-tss-engine.mk > new file mode 100644 > index 0000000000..768f9ee3bd > --- /dev/null > +++ b/package/tpm2-tss-engine/tpm2-tss-engine.mk > @@ -0,0 +1,19 @@ > +################################################################################ > +# > +# tpm2-tss-engine > +# > +################################################################################ > + > +TPM2_TSS_ENGINE_VERSION = 1.2.0 > +TPM2_TSS_ENGINE_SITE = https://github.com/tpm2-software/tpm2-tss-engine/releases/download/$(TPM2_TSS_ENGINE_VERSION) You should rather use: TPM2_TSS_ENGINE_SITE = $(call github,tpm2-software,tpm2-tss-engine,$(TPM2_TSS_ENGINE_VERSION)) I did try it, you'll need to update the hash/signature file too. > +TPM2_TSS_ENGINE_LICENSE = BSD-3-Clause > +TPM2_TSS_ENGINE_LICENSE_FILES = LICENSE > +TPM2_TSS_ENGINE_INSTALL_STAGING = YES > +TPM2_TSS_ENGINE_DEPENDENCIES = host-pkgconf tpm2-tss > +TPM2_TSS_ENGINE_AUTORECONF = YES > + > +TPM2_TSS_ENGINE_CONF_OPTS = \ > + --disable-digestsign \ The --disable-digestsign can make sense, but it should be a Config.in flag. > + --with-enginesdir="/usr/lib/engines-3" Could you align it with the libp11 enginesdir too ? They are using: # pkg-config returns a libcrypto enginesdir prefixed with the sysroot, # so let's rip it out. LIBP11_CONF_OPTS = \ --with-enginesdir=`$(PKG_CONFIG_HOST_BINARY) --variable enginesdir libcrypto | xargs readlink -f | sed 's%^$(STAGING_DIR)%%'` best regards, Vincent > + > +$(eval $(autotools-package)) > -- > 2.47.0 > > _______________________________________________ > buildroot mailing list > buildroot@buildroot.org > https://lists.buildroot.org/mailman/listinfo/buildroot
diff --git a/package/Config.in b/package/Config.in index 1eb5e1e020..4f4b7a34d5 100644 --- a/package/Config.in +++ b/package/Config.in @@ -1633,6 +1633,7 @@ menu "Crypto" source "package/tpm2-openssl/Config.in" source "package/tpm2-pkcs11/Config.in" source "package/tpm2-tss/Config.in" + source "package/tpm2-tss-engine/Config.in" source "package/trousers/Config.in" source "package/ustream-ssl/Config.in" source "package/wolfssl/Config.in" diff --git a/package/tpm2-tss-engine/0001-Allow-disabling-of-digest-sign-operations.patch b/package/tpm2-tss-engine/0001-Allow-disabling-of-digest-sign-operations.patch new file mode 100644 index 0000000000..7ce717df4a --- /dev/null +++ b/package/tpm2-tss-engine/0001-Allow-disabling-of-digest-sign-operations.patch @@ -0,0 +1,46 @@ +From af8b26e7ffe69837197fb841e9a31230ae01c9cc Mon Sep 17 00:00:00 2001 +From: Andreas Fuchs <andreas.fuchs@infineon.com> +Date: Mon, 22 May 2023 14:06:41 +0200 +Subject: [PATCH] Configure: Allow disabling of digest-sign operations + +Since the digest-sign operations perform the hash on the TPM and +TPMs in general do not support SHA512, this can lead to errors. +Depending on the use case, it might be preferable to not support +restricted keys (via digest+sign) but to rely on ordinary keys +only. + +Upstream: https://github.com/tpm2-software/tpm2-tss-engine/commit/af8b26e7ffe69837197fb841e9a31230ae01c9cc +Signed-off-by: Andreas Fuchs <andreas.fuchs@infineon.com> +--- + configure.ac | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/configure.ac b/configure.ac +index d4a9356..b379042 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -116,13 +116,19 @@ PKG_CHECK_MODULES([CRYPTO], [libcrypto >= 1.0.2g], + PKG_CHECK_MODULES([TSS2_ESYS], [tss2-esys >= 2.3]) + PKG_CHECK_MODULES([TSS2_MU], [tss2-mu]) + PKG_CHECK_MODULES([TSS2_TCTILDR], [tss2-tctildr]) ++ + AC_CHECK_LIB([crypto], EC_KEY_METHOD_set_compute_key, + [AM_CONDITIONAL([HAVE_OPENSSL_ECDH], true)], + [AM_CONDITIONAL([HAVE_OPENSSL_ECDH], false)]) ++ ++AC_ARG_ENABLE([digestsign], ++ [AS_HELP_STRING([--disable-digestsign], ++ [Disable support for digest and sign methods, helps with TPM unsupported hash algorithms.])],, ++ [enable_digestsign=yes]) + AC_CHECK_LIB([crypto], EVP_PKEY_meth_set_digest_custom, +- [AM_CONDITIONAL([HAVE_OPENSSL_DIGEST_SIGN], true)], ++ [AM_CONDITIONAL([HAVE_OPENSSL_DIGEST_SIGN], [test "x$enable_digestsign" != "xno"])], + [AM_CONDITIONAL([HAVE_OPENSSL_DIGEST_SIGN], false)]) +-AS_IF([test "x$ac_cv_lib_crypto_EVP_PKEY_meth_set_digest_custom" = xyes], ++AS_IF([test "x$ac_cv_lib_crypto_EVP_PKEY_meth_set_digest_custom" = xyes && test "x$enable_digestsign" = "xyes"], + [AC_DEFINE([HAVE_OPENSSL_DIGEST_SIGN], [1], + Have required functionality from OpenSSL to support digest and sign)]) + +-- +2.47.0 + diff --git a/package/tpm2-tss-engine/Config.in b/package/tpm2-tss-engine/Config.in new file mode 100644 index 0000000000..27d925a60f --- /dev/null +++ b/package/tpm2-tss-engine/Config.in @@ -0,0 +1,12 @@ +config BR2_PACKAGE_TPM2_TSS_ENGINE + bool "tpm2-tss-engine" + select BR2_PACKAGE_TPM2_TSS + select BR2_PACKAGE_LIBOPENSSL_ENGINES + help + The tpm2-tss-engine project implements a cryptographic engine + for OpenSSL for Trusted Platform Module (TPM 2.0) using the + tpm2-tss software stack that follows the Trusted Computing + Groups (TCG) TPM Software Stack (TSS 2.0). It uses the + Enhanced System API (ESAPI) interface of the TSS 2.0 for + downwards communication. It supports RSA decryption and + signatures as well as ECDSA signatures. diff --git a/package/tpm2-tss-engine/tpm2-tss-engine.hash b/package/tpm2-tss-engine/tpm2-tss-engine.hash new file mode 100644 index 0000000000..294847d5f8 --- /dev/null +++ b/package/tpm2-tss-engine/tpm2-tss-engine.hash @@ -0,0 +1,3 @@ +# Locally computed: +sha256 3c94fef110dd3630b3c28c5875febba76b7d5ba2fcc04a14c4a30f5d2157c265 tpm2-tss-engine-1.2.0.tar.gz +sha256 7a77915f34caf18d47bc31750dae47dbd7f7895e95bbb8370f477c25009388f6 LICENSE diff --git a/package/tpm2-tss-engine/tpm2-tss-engine.mk b/package/tpm2-tss-engine/tpm2-tss-engine.mk new file mode 100644 index 0000000000..768f9ee3bd --- /dev/null +++ b/package/tpm2-tss-engine/tpm2-tss-engine.mk @@ -0,0 +1,19 @@ +################################################################################ +# +# tpm2-tss-engine +# +################################################################################ + +TPM2_TSS_ENGINE_VERSION = 1.2.0 +TPM2_TSS_ENGINE_SITE = https://github.com/tpm2-software/tpm2-tss-engine/releases/download/$(TPM2_TSS_ENGINE_VERSION) +TPM2_TSS_ENGINE_LICENSE = BSD-3-Clause +TPM2_TSS_ENGINE_LICENSE_FILES = LICENSE +TPM2_TSS_ENGINE_INSTALL_STAGING = YES +TPM2_TSS_ENGINE_DEPENDENCIES = host-pkgconf tpm2-tss +TPM2_TSS_ENGINE_AUTORECONF = YES + +TPM2_TSS_ENGINE_CONF_OPTS = \ + --disable-digestsign \ + --with-enginesdir="/usr/lib/engines-3" + +$(eval $(autotools-package))
Introduce the TPM2-TSS OpenSSL Engine to enable TPM2 device support in ecosystems that do not yet support OpenSSL Providers. This is particularly useful in the Erlang space, where OpenSSL 3 Providers are still under development [1]. [1] https://erlangforums.com/t/openssl-3-support-for-provider-deprecated-engine-replacement/2954/2 Signed-off-by: abelino <abelino.romo@gmail.com> --- package/Config.in | 1 + ...-disabling-of-digest-sign-operations.patch | 46 +++++++++++++++++++ package/tpm2-tss-engine/Config.in | 12 +++++ package/tpm2-tss-engine/tpm2-tss-engine.hash | 3 ++ package/tpm2-tss-engine/tpm2-tss-engine.mk | 19 ++++++++ 5 files changed, 81 insertions(+) create mode 100644 package/tpm2-tss-engine/0001-Allow-disabling-of-digest-sign-operations.patch create mode 100644 package/tpm2-tss-engine/Config.in create mode 100644 package/tpm2-tss-engine/tpm2-tss-engine.hash create mode 100644 package/tpm2-tss-engine/tpm2-tss-engine.mk