From 568d6fca33da46503b3b87ddec33aa5d3efa4894 Mon Sep 17 00:00:00 2001 From: Nick Cao Date: Sun, 15 Jan 2023 20:20:50 +0800 Subject: [PATCH] systemd: fix tpm2 driver init --- ...ontext_init-fix-driver-name-checking.patch | 44 +++++++++++++++++++ pkgs/os-specific/linux/systemd/default.nix | 1 + 2 files changed, 45 insertions(+) create mode 100644 pkgs/os-specific/linux/systemd/0019-tpm2_context_init-fix-driver-name-checking.patch diff --git a/pkgs/os-specific/linux/systemd/0019-tpm2_context_init-fix-driver-name-checking.patch b/pkgs/os-specific/linux/systemd/0019-tpm2_context_init-fix-driver-name-checking.patch new file mode 100644 index 00000000000000..c64fdd8d34c0b9 --- /dev/null +++ b/pkgs/os-specific/linux/systemd/0019-tpm2_context_init-fix-driver-name-checking.patch @@ -0,0 +1,44 @@ +From 236e9281cb158be3191c500524fbc5f397a25e03 Mon Sep 17 00:00:00 2001 +From: Nick Cao +Date: Sun, 15 Jan 2023 20:15:55 +0800 +Subject: [PATCH] tpm2_context_init: fix driver name checking + +https://github.com/systemd/systemd/commit/542dbc623e introduced +additional checks for tpm2 driver names, namely ensuring the driver +name, when concated with "libtss2-tcti-" and ".so.0", generates a valid +filename (with no '/' inside). + +For example, if the driver is name "device", the line + fn = strjoina("libtss2-tcti-", driver, ".so.0") +would yield "libtss2-tcti-device.so.0", passing the check. And the +filename is then passed to dlopen for loading the driver. + +Our current approach for systemd to correctly locate these dynamically +loaded libraries is to patch the filenames to include their absolute +path. Thus the line mentioned above is patched into + fn = strjoina("/nix/store/xxxxxxx-tpm2-tss-3.2.0/lib/libtss2-tcti-", driver, ".so.0") +yielding "/nix/store/xxxxxxx-tpm2-tss-3.2.0/lib/libtss2-tcti-device.so.0", +tripping the check. + +This patch relaxes the check to also accept absolute paths, by replacing +filename_is_valid with path_is_valid. +--- + src/shared/tpm2-util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c +index ba8dfb041d..7de5d5fc77 100644 +--- a/src/shared/tpm2-util.c ++++ b/src/shared/tpm2-util.c +@@ -192,7 +192,7 @@ int tpm2_context_init(const char *device, struct tpm2_context *ret) { + fn = strjoina("libtss2-tcti-", driver, ".so.0"); + + /* Better safe than sorry, let's refuse strings that cannot possibly be valid driver early, before going to disk. */ +- if (!filename_is_valid(fn)) ++ if (!path_is_valid(fn)) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "TPM2 driver name '%s' not valid, refusing.", driver); + + dl = dlopen(fn, RTLD_NOW); +-- +2.39.0 + diff --git a/pkgs/os-specific/linux/systemd/default.nix b/pkgs/os-specific/linux/systemd/default.nix index 4799cdb06b7625..7d17cc85a8cd7e 100644 --- a/pkgs/os-specific/linux/systemd/default.nix +++ b/pkgs/os-specific/linux/systemd/default.nix @@ -174,6 +174,7 @@ stdenv.mkDerivation { ./0016-pkg-config-derive-prefix-from-prefix.patch ./0017-inherit-systemd-environment-when-calling-generators.patch ./0018-core-don-t-taint-on-unmerged-usr.patch + ./0019-tpm2_context_init-fix-driver-name-checking.patch ] ++ lib.optional stdenv.hostPlatform.isMusl ( let oe-core = fetchzip {