diff --git a/.circleci/config.yml b/.circleci/config.yml index d0bff577..303e1121 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -45,6 +45,7 @@ jobs: docker: - image: debian:11 resource_class: large + working_directory: ~/heads steps: - run: name: Install dependencies @@ -53,7 +54,6 @@ jobs: apt update apt install -y build-essential zlib1g-dev uuid-dev libdigest-sha-perl libelf-dev bc bzip2 bison flex git gnupg gawk iasl m4 nasm patch python python2 python3 wget gnat cpio ccache pkg-config cmake libusb-1.0-0-dev autoconf texinfo ncurses-dev doxygen graphviz udev libudev1 libudev-dev automake libtool rsync innoextract sudo imagemagick libncurses5-dev - checkout - - run: name: git reset command: | @@ -120,6 +120,7 @@ jobs: docker: - image: debian:11 resource_class: large + working_directory: ~/heads parameters: arch: type: string @@ -138,15 +139,16 @@ jobs: - persist_to_workspace: root: ~/ paths: - - project/packages/<> - - project/build/<> - - project/crossgcc/<> - - project/install/<> + - heads/packages/<> + - heads/build/<> + - heads/crossgcc/<> + - heads/install/<> build: docker: - image: debian:11 resource_class: large + working_directory: ~/heads parameters: arch: type: string @@ -167,6 +169,7 @@ jobs: docker: - image: debian:11 resource_class: large + working_directory: ~/heads steps: - attach_workspace: at: ~/ @@ -236,13 +239,12 @@ workflows: # since kernel is 6.x and coreboot is git is unshared # We use nitropad's coreboot's fork crossgcc # No need to wait further for other board's cache. - # We reuse built modules from x230-hotp-maximized cache only - build_and_persist: name: nitropad-nv41 target: nitropad-nv41 subcommand: "" requires: - - x230-hotp-maximized + - prep_env # coreboot-git Talos II (PPC) - build_and_persist: @@ -527,3 +529,4 @@ workflows: # path: build/UNMAINTAINED_qemu-linuxboot/linuxboot.rom # - store-artifacts: # path: build/UNMAINTAINED_qemu-linuxboot/hashes.txt + diff --git a/initrd/bin/tpmr b/initrd/bin/tpmr index 630454e1..a740d4a0 100755 --- a/initrd/bin/tpmr +++ b/initrd/bin/tpmr @@ -347,8 +347,10 @@ tpm2_startsession() { --saved-session || die "tpm2_flushcontext: unable to flush saved session" tpm2 readpublic -Q -c "$PRIMARY_HANDLE" -t "$PRIMARY_HANDLE_FILE" - tpm2 startauthsession -Q -c "$PRIMARY_HANDLE_FILE" --hmac-session -S "$ENC_SESSION_FILE" - tpm2 startauthsession -Q -c "$PRIMARY_HANDLE_FILE" --hmac-session -S "$DEC_SESSION_FILE" + #TODO: do the right thing to not have to suppress "WARN: check public portion the tpmkey manually" see https://github.com/linuxboot/heads/pull/1630#issuecomment-2075120429 + tpm2 startauthsession -Q -c "$PRIMARY_HANDLE_FILE" --hmac-session -S "$ENC_SESSION_FILE" 2>&1 > /dev/null + #TODO: do the right thing to not have to suppress "WARN: check public portion the tpmkey manually" see https://github.com/linuxboot/heads/pull/1630#issuecomment-2075120429 + tpm2 startauthsession -Q -c "$PRIMARY_HANDLE_FILE" --hmac-session -S "$DEC_SESSION_FILE" 2>&1 > /dev/null tpm2 sessionconfig -Q --disable-encrypt "$DEC_SESSION_FILE" } diff --git a/modules/tpm2-tools b/modules/tpm2-tools index 98711195..bba25bc5 100644 --- a/modules/tpm2-tools +++ b/modules/tpm2-tools @@ -8,23 +8,30 @@ ifeq "$(CONFIG_TPM2_TOOLS)" "y" export CONFIG_TPM=y endif -tpm2-tools_version := 5.2 -#tpm2-tools_version := 78a7681 -#tpm2-tools_repo := https://github.com/tpm2-software/tpm2-tools.git +tpm2-tools_version := 5.6 tpm2-tools_dir := tpm2-tools-$(tpm2-tools_version) tpm2-tools_tar := tpm2-tools-$(tpm2-tools_version).tar.gz tpm2-tools_url := https://github.com/tpm2-software/tpm2-tools/releases/download/$(tpm2-tools_version)/$(tpm2-tools_tar) -tpm2-tools_hash := c0b402f6a7b3456e8eb2445211e2d41c46c7e769e05fe4d8909ff64119f7a630 +tpm2-tools_hash := 52c8bcbaadca082abfe5eb7ee4967d2d632d84b1677675f2f071b6d2ec22cec3 -# we have ESYS 3.0, but it doesn't figure that out on its own -tpm2-tools_configure := ./bootstrap && ./configure \ +#tpm2-tools 5.6 adds release version based on git, while tarball downloaded doesn't include any .git +# the patch comments out git output to ./VERSION, and we fill it here based on this Makefile's version +#tpm2-tools doesn't play nice with reproducible builds, hardcoding lib paths without providing a configure option to remove rpaths +# We make sure no hardcoding of libdir flags exist in configure script prior of calling the script with sed call +# We pass additional remapping of prefix-map from $INSTALL to local dir +# +# TODO: remove all patches and uniformize with similar sed calls. +tpm2-tools_configure := \ + echo "$(tpm2-tools_version)" > ./VERSION \ + && ./bootstrap \ + && sed -i 's/hardcode_libdir_flag_spec=.*/hardcode_libdir_flag_spec=" "/' configure \ + && ./configure \ $(CROSS_TOOLS) \ --host $(MUSL_ARCH)-elf-linux \ --prefix "/" \ --disable-fapi \ - TSS2_ESYS_3_0_CFLAGS="-I$(INSTALL)/include" \ - TSS2_ESYS_3_0_LIBS="-ltss2-esys" \ + CFLAGS="-fdebug-prefix-map=$(INSTALL)=." \ tpm2-tools_target := $(MAKE_JOBS) \ DESTDIR="$(INSTALL)" \ diff --git a/modules/tpm2-tss b/modules/tpm2-tss index 0fad79ef..3795e21f 100644 --- a/modules/tpm2-tss +++ b/modules/tpm2-tss @@ -1,13 +1,22 @@ # TPM2 TSS library modules-$(CONFIG_TPM2_TSS) += tpm2-tss -tpm2-tss_version := 3.2.0 +tpm2-tss_version := 3.2.2 tpm2-tss_dir := tpm2-tss-$(tpm2-tss_version) tpm2-tss_tar := tpm2-tss-$(tpm2-tss_version).tar.gz tpm2-tss_url := https://github.com/tpm2-software/tpm2-tss/releases/download/$(tpm2-tss_version)/$(tpm2-tss_tar) -tpm2-tss_hash := 48305e4144dcf6d10f3b25b7bccf0189fd2d1186feafd8cd68c6b17ecf0d7912 +tpm2-tss_hash := ba9e52117f254f357ff502e7d60fce652b3bfb26327d236bbf5ab634235e40f1 +#Repro checks: +# find build/x86/tpm2-tss-3.2.2/src/*/.libs/libtss2-*so* | while read file; do echo "library $file:"; strings $file|grep heads; done +# Should not return any result + +#NEEDED otherwise output on previous command +#sed -i 's/hardcode_into_libs=yes/hardcode_into_libs=no/g' configure +# needed otherwise library build/x86/tpm2-tss-3.2.2/src/tss2-tcti/.libs/libtss2-tcti-pcap.so.0.0.0: +# contains: /home/user/heads/build/x86/tpm2-tss-3.2.2/src/tss2-tcti/.libs:/home/user/heads/build/x86/tpm2-tss-3.2.2/src/tss2-mu/.libs://lib tpm2-tss_configure := aclocal && automake --add-missing && autoreconf -fi \ + && sed -i 's/hardcode_into_libs=yes/hardcode_into_libs=no/g' configure \ && ./configure \ $(CROSS_TOOLS) \ --host $(MUSL_ARCH)-elf-linux \ @@ -17,6 +26,7 @@ tpm2-tss_configure := aclocal && automake --add-missing && autoreconf -fi \ --disable-doxygen-rtf \ --disable-doxygen-html \ --disable-fapi \ + --disable-static \ # Run one build to generate the executables with the pre-defined # exec_prefix and datarootdir, then a second make to install the binaries diff --git a/patches/openssl-3.0.8.patch b/patches/openssl-3.0.8.patch new file mode 100644 index 00000000..db4e79e4 --- /dev/null +++ b/patches/openssl-3.0.8.patch @@ -0,0 +1,35 @@ +--- ./util/mkbuildinf.pl.orig 2023-02-07 08:43:33.000000000 -0500 ++++ ./util/mkbuildinf.pl 2024-03-27 14:36:49.974651246 -0400 +@@ -12,7 +12,7 @@ + my ($cflags, $platform) = @ARGV; + $cflags = "compiler: $cflags"; + +-my $date = gmtime($ENV{'SOURCE_DATE_EPOCH'} || time()) . " UTC"; ++my $date = gmtime($ENV{'SOURCE_DATE_EPOCH'} || '0') . " UTC"; + + print <<"END_OUTPUT"; + /* +@@ -36,21 +36,7 @@ + * literal + */ + static const char compiler_flags[] = { +-END_OUTPUT +- +-my $ctr = 0; +-foreach my $c (split //, $cflags) { +- $c =~ s|([\\'])|\\$1|; +- # Max 16 characters per line +- if (($ctr++ % 16) == 0) { +- if ($ctr != 1) { +- print "\n"; +- } +- print " "; +- } +- print "'$c',"; +-} +-print <<"END_OUTPUT"; +-'\\0' ++ 'r','e','p','r','o','d','u','c','i','b','l','e',' ','b','u','i', ++ 'l','d','\\0' + }; + END_OUTPUT diff --git a/patches/tpm2-tools-5.2.patch b/patches/tpm2-tools-5.2.patch deleted file mode 100644 index f4720f23..00000000 --- a/patches/tpm2-tools-5.2.patch +++ /dev/null @@ -1,33 +0,0 @@ -diff --git a/Makefile.am b/Makefile.am -index 7132215..32e2193 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -93,7 +93,7 @@ tss2_tools = \ - - # Bundle all the tools into a single program similar to busybox - bin_PROGRAMS += tools/tpm2 --tools_tpm2_LDADD = $(LDADD) $(CURL_LIBS) -+tools_tpm2_LDADD = $(LDADD) - tools_tpm2_CFLAGS = $(AM_CFLAGS) -DTPM2_TOOLS_MAX="$(words $(tpm2_tools))" - tools_tpm2_SOURCES = \ - tools/tpm2_tool.c \ -@@ -127,7 +127,6 @@ tpm2_tools = \ - tools/tpm2_encryptdecrypt.c \ - tools/tpm2_evictcontrol.c \ - tools/tpm2_flushcontext.c \ -- tools/tpm2_getekcertificate.c \ - tools/tpm2_getrandom.c \ - tools/tpm2_gettime.c \ - tools/tpm2_hash.c \ -diff --git a/configure.ac b/configure.ac -index f1c1711..7279baa 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -59,7 +59,6 @@ PKG_CHECK_MODULES([TSS2_MU], [tss2-mu]) - PKG_CHECK_MODULES([TSS2_RC], [tss2-rc]) - PKG_CHECK_MODULES([TSS2_SYS], [tss2-sys]) - PKG_CHECK_MODULES([CRYPTO], [libcrypto >= 1.1.0]) --PKG_CHECK_MODULES([CURL], [libcurl]) - - # pretty print of devicepath if efivar library is present - PKG_CHECK_MODULES([EFIVAR], [efivar],,[true]) diff --git a/patches/tpm2-tools-5.6.patch b/patches/tpm2-tools-5.6.patch new file mode 100644 index 00000000..991d0791 --- /dev/null +++ b/patches/tpm2-tools-5.6.patch @@ -0,0 +1,42 @@ +--- ./bootstrap.orig 2023-11-08 02:19:36.000000000 -0500 ++++ ./bootstrap 2024-04-03 12:18:46.722995465 -0400 +@@ -5,7 +5,7 @@ + + # Generate a VERSION file that is included in the dist tarball to avoid needed git + # when calling autoreconf in a release tarball. +-git describe --tags --always --dirty > VERSION ++#git describe --tags --always --dirty > VERSION + + # generate list of source files for use in Makefile.am + # if you add new source files, you must run ./bootstrap again +diff --git a/Makefile.am b/Makefile.am +index 7132215..32e2193 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -93,7 +93,7 @@ tss2_tools = \ + + # Bundle all the tools into a single program similar to busybox + bin_PROGRAMS += tools/tpm2 +-tools_tpm2_LDADD = $(LDADD) $(CURL_LIBS) ++tools_tpm2_LDADD = $(LDADD) + tools_tpm2_CFLAGS = $(AM_CFLAGS) -DTPM2_TOOLS_MAX="$(words $(tpm2_tools))" + tools_tpm2_SOURCES = \ + tools/tpm2_tool.c \ +@@ -127,7 +127,6 @@ tpm2_tools = \ + tools/tpm2_encryptdecrypt.c \ + tools/tpm2_evictcontrol.c \ + tools/tpm2_flushcontext.c \ +- tools/tpm2_getekcertificate.c \ + tools/tpm2_getrandom.c \ + tools/tpm2_gettime.c \ + tools/tpm2_hash.c \ +--- ./configure.ac.orig 2023-11-08 02:19:36.000000000 -0500 ++++ ./configure.ac 2024-04-02 12:05:00.270985575 -0400 +@@ -80,7 +80,6 @@ + AC_CHECK_LIB(crypto, [EVP_sm4_cfb128], [ + AC_DEFINE([HAVE_EVP_SM4_CFB], [1], [Support EVP_sm4_cfb in openssl])], + []) +-PKG_CHECK_MODULES([CURL], [libcurl]) + + # pretty print of devicepath if efivar library is present + # auto detect if not specified via the --with-efivar option. diff --git a/patches/tpm2-tss-3.2.0.patch b/patches/tpm2-tss-3.2.2.patch similarity index 100% rename from patches/tpm2-tss-3.2.0.patch rename to patches/tpm2-tss-3.2.2.patch