tpm2-openssl: init at 1.2.0

[stv0g]

Description of changes

This PR packages tpm2-openssl an OpenSSL Provider for TPM2 integration.

Tested with:

nix build github:stv0g/nixpkgs/add-tpm2-openssl\#tpm2-openssl
nix run   github:stv0g/nixpkgs/add-tpm2-openssl\#openssl -- rand \
   -provider-path ./result/lib/ossl-modules \
   -provider tpm2 \
   16

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 24.05 Release Notes (or backporting 23.05 and 23.11 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[philiptaron]

I tested it out and it does indeed work as expected.

I have a few suggestions and comments.

[thillux]

Please use a recursive attribute set instead of finalAttrs and reformat afterwards. See the attached patch for reference. Otherwise LGTM.

diff --git a/pkgs/by-name/tp/tpm2-openssl/package.nix b/pkgs/by-name/tp/tpm2-openssl/package.nix
index a3cce7058653..1a0d6454a3e2 100644
--- a/pkgs/by-name/tp/tpm2-openssl/package.nix
+++ b/pkgs/by-name/tp/tpm2-openssl/package.nix
@@ -6,16 +6,16 @@
 , pkg-config
 , openssl
 , tpm2-tss
-,
 }:
-stdenv.mkDerivation (
-  finalAttrs: {
+
+stdenv.mkDerivation rec {
     pname = "tpm2-openssl";
     version = "1.2.0";
+
     src = fetchFromGitHub {
       owner = "tpm2-software";
       repo = "tpm2-openssl";
-      rev = finalAttrs.version;
+      rev = version;
       hash = "sha256-mZ4Z/GxJFwwfyFd1SAiVlQqOjkFSzsZePeuEZtq8Mcg=";
     };
 
@@ -37,7 +37,7 @@ stdenv.mkDerivation (
     '';
 
     prePatch = ''
-      echo ${finalAttrs.version} > VERSION
+      echo ${version} > VERSION
     '';
 
     meta = with lib; {
@@ -47,5 +47,4 @@ stdenv.mkDerivation (
       maintainers = with maintainers; [ stv0g ];
       platforms = platforms.linux;
     };
-  }
-)
+}

[stv0g]

Please use a recursive attribute set instead of finalAttrs and reformat afterwards. See the attached patch for reference. Otherwise LGTM.

Thanks for the review :) I am wondering, why is using finalAttrs discouraged here? In case somebody overrides the package version, wouldnt this change be missed in the VERSION file?

[philiptaron]

#119942 and #293452 and this tip on nix.dev suggest we're broadly abandoning rec, especially in this use case. I don't understand your rationale for recommending the other direction @thillux -- please say more.

[thillux]

#119942 and #293452 and this tip on nix.dev suggest we're broadly abandoning rec, especially in this use case. I don't understand your rationale for recommending the other direction @thillux -- please say more.

Fair, I informed myself about this (thanks @WilliButz). Never mind my comments :)

[0x4A6F]

Result of nixpkgs-review pr 299626 run on x86_64-linux 1

1 package failed to build:

• tpm2-openssl

[stv0g]

Okay, I found the issue. It was broken by this recommendation by @SuperSandro2000
#299626 (comment).

Environment variables are not substituted in configureFlags. Or only if properly escaped:

---  configureFlags = [ "--with-modulesdir=$out/lib/ossl-modules" ];
+++  configureFlags = [ "--with-modulesdir=$$out/lib/ossl-modules" ];

I've seen that this is handled quite inconsistently in Nixpkgs. Some packages are using the escaping with $$, others are extending configureFlags in the preConfigure hook.

I will draft another PR to align this tree-wide.

[SuperSandro2000]

I think you could also use $(out)