tpm2-tss-engine

[Binary-Eater]

OpenSSL cryptographic engine package for TPM 2.0

Uses the tpm2-tss package to provide an interface for OpenSSL to utilize TPM 2.0 for cryptographic purposes.

Metadata

• homepage URL: https://tpm2-software.github.io/
• source URL: https://github.com/tpm2-software/tpm2-tss-engine
• license: bsd
• platforms: linux

[matthiasbeyer]

If someone needs a starting point: https://git.beyermatthi.as/nixpkgs/log/?h=init-tpm2-tss-engine

I started it but I do not have enough time right now. It fails during compilation because it tries to create symbolic links in the openssl installation (probably submit this as bug report to upstream).

[terlar]

@matthiasbeyer @Binary-Eater

I got it to build like this:

{ stdenv, lib, fetchFromGitHub, autoreconfHook, autoconf-archive, pkg-config
, pandoc, doxygen
# Runtime
, openssl, tpm2-tss
# Check
, cmocka, expect, tpm2-tools, ibm-sw-tpm2, coreutils, iproute }:

let
  pname = "tpm2-tss-engine";
  version = "1.1.0";
in stdenv.mkDerivation {
  inherit pname version;

  src = fetchFromGitHub {
    owner = "tpm2-software";
    repo = pname;
    rev = "v${version}";
    sha256 = "1pwc38izkk50s73xzcca1l5h265lmh4hcgpfq8lmbv5grq2qdal8";
  };

  nativeBuildInputs =
    [ autoreconfHook autoconf-archive pkg-config doxygen pandoc ];
  buildInputs = [ openssl tpm2-tss ];
  checkInputs = [ cmocka expect tpm2-tools ibm-sw-tpm2 coreutils iproute ];

  postPatch = ''
    patchShebangs bootstrap
    patchShebangs test
  '';

  preAutoreconf = "./bootstrap";

  enableParallelBuilding = true;

  configureFlags = [
    "--with-enginesdir=${placeholder "out"}/lib/engines"
    "--enable-unit"
    # Integration tests disabled, as they rely on TPM2 support
    # "--enable-integration"
  ];

  doCheck = true;

  meta = {
    homepage = "https://github.com/tpm2-software/tpm2-tss-engine";
    description = "OpenSSL Engine for TPM2 devices";
    license = lib.licenses.bsd3;
    platforms = lib.platforms.linux;
    maintainers = [ lib.maintainers.terlar ];
  };
}

Unfortunately I didn't have a TPM2 device when I packaged it (January last year). So could perhaps have saved you some time. I remember it failed the integration tests, but I just re-ran them now on a device that has TPM2 and then the integration tests passed as well. After the build I can execute the binary. Not sure what more I need to verify.

[Binary-Eater]

@terlar I finally got a chance to test your packaging.

You have a syntax error in your posting.

    maintainers = lib.maintainers.terlar ];

should be

    maintainers = [ lib.maintainers.terlar ];

I noticed this error when testing ./result/bin/tpm2tss-genkey.

./result/bin/tpm2tss-genkey key.priv
Could not load tpm2tss engine

This appears to be an issue with loading the shared object needed.

openat(AT_FDCWD, "/nix/store/dk9xkkxabg6mpcb3nahjg0pla75m69vq-openssl-1.1.1q/lib/engines-1.1/tpm2tss.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/nix/store/dk9xkkxabg6mpcb3nahjg0pla75m69vq-openssl-1.1.1q/lib/engines-1.1/libtpm2tss.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
write(2, "Could not load tpm2tss engine\n", 30Could not load tpm2tss engine

The required shared objects are under result/lib/engines and not result/lib/engines-1.1. Misread the path.

[Binary-Eater]

This error makes sense to me. Uses openssl library functionality for invoking the engine. Openssl does not know where the tpm2-tss-engine is located.

https://github.com/tpm2-software/tpm2-tss-engine/blob/0745b9df717a6613f1415173861df46ec660b425/src/tpm2tss-genkey.c#L38-L40

Integration tests pass for me as well with my tpn2 device. I think this could be upstreamed and then the next step is adding an option for openssl 1.1.1 to have this engine installed with it.

Openssl 3 will require tpm2-openssl.

[stv0g]

Just fyi, I've created a PR to add tpm2-openssl: #299626