diff --git a/recipes-connectivity/openssl/files/environment.d-openssl.sh b/recipes-connectivity/openssl/files/environment.d-openssl.sh deleted file mode 100644 index b9cc24a7..00000000 --- a/recipes-connectivity/openssl/files/environment.d-openssl.sh +++ /dev/null @@ -1 +0,0 @@ -export OPENSSL_CONF="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/openssl.cnf" diff --git a/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch b/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch deleted file mode 100644 index 949c7883..00000000 --- a/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 3e1d00481093e10775eaf69d619c45b32a4aa7dc Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Martin=20Hundeb=C3=B8ll?= -Date: Tue, 6 Nov 2018 14:50:47 +0100 -Subject: [PATCH] buildinfo: strip sysroot and debug-prefix-map from compiler - info -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The openssl build system generates buildinf.h containing the full -compiler command line used to compile objects. This breaks -reproducibility, as the compile command is baked into libcrypto, where -it is used when running `openssl version -f`. - -Add stripped build variables for the compiler and cflags lines, and use -those when generating buildinfo.h. - -This is based on a similar patch for older openssl versions: -https://patchwork.openembedded.org/patch/147229/ - -Upstream-Status: Inappropriate [OE specific] -Signed-off-by: Martin Hundebøll - - -Update to fix buildpaths qa issue for '-fmacro-prefix-map'. - -Signed-off-by: Kai Kang ---- - Configurations/unix-Makefile.tmpl | 10 +++++++++- - crypto/build.info | 2 +- - 2 files changed, 10 insertions(+), 2 deletions(-) - -diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl -index 16af4d2087..54c162784c 100644 ---- a/Configurations/unix-Makefile.tmpl -+++ b/Configurations/unix-Makefile.tmpl -@@ -317,13 +317,22 @@ BIN_LDFLAGS={- join(' ', $target{bin_lflags} || (), - '$(CNF_LDFLAGS)', '$(LDFLAGS)') -} - BIN_EX_LIBS=$(CNF_EX_LIBS) $(EX_LIBS) - --# CPPFLAGS_Q is used for one thing only: to build up buildinf.h -+# *_Q variables are used for one thing only: to build up buildinf.h - CPPFLAGS_Q={- $cppflags1 =~ s|([\\"])|\\$1|g; - $cppflags2 =~ s|([\\"])|\\$1|g; - $lib_cppflags =~ s|([\\"])|\\$1|g; - join(' ', $lib_cppflags || (), $cppflags2 || (), - $cppflags1 || ()) -} - -+CFLAGS_Q={- for (@{$config{CFLAGS}}) { -+ s|-fdebug-prefix-map=[^ ]+|-fdebug-prefix-map=|g; -+ s|-fmacro-prefix-map=[^ ]+|-fmacro-prefix-map=|g; -+ } -+ join(' ', @{$config{CFLAGS}}) -} -+ -+CC_Q={- $config{CC} =~ s|--sysroot=[^ ]+|--sysroot=recipe-sysroot|g; -+ join(' ', $config{CC}) -} -+ - PERLASM_SCHEME= {- $target{perlasm_scheme} -} - - # For x86 assembler: Set PROCESSOR to 386 if you want to support -diff --git a/crypto/build.info b/crypto/build.info -index b515b7318e..8c9cee2a09 100644 ---- a/crypto/build.info -+++ b/crypto/build.info -@@ -10,7 +10,7 @@ EXTRA= ../ms/uplink-x86.pl ../ms/uplink.c ../ms/applink.c \ - ppccpuid.pl pariscid.pl alphacpuid.pl arm64cpuid.pl armv4cpuid.pl - - DEPEND[cversion.o]=buildinf.h --GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q)" "$(PLATFORM)" -+GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC_Q) $(CFLAGS_Q) $(CPPFLAGS_Q)" "$(PLATFORM)" - DEPEND[buildinf.h]=../configdata.pm - - GENERATE[uplink-x86.s]=../ms/uplink-x86.pl $(PERLASM_SCHEME) --- -2.19.1 - diff --git a/recipes-connectivity/openssl/openssl/0001-skip-test_symbol_presence.patch b/recipes-connectivity/openssl/openssl/0001-skip-test_symbol_presence.patch deleted file mode 100644 index d8d9651b..00000000 --- a/recipes-connectivity/openssl/openssl/0001-skip-test_symbol_presence.patch +++ /dev/null @@ -1,46 +0,0 @@ -From a9401b2289656c5a36dd1b0ecebf0d23e291ce70 Mon Sep 17 00:00:00 2001 -From: Hongxu Jia -Date: Tue, 2 Oct 2018 23:58:24 +0800 -Subject: [PATCH] skip test_symbol_presence - -We cannot skip `01-test_symbol_presence.t' by configuring option `no-shared' -as INSTALL told us the shared libraries will not be built. - -[INSTALL snip] - Notes on shared libraries - ------------------------- - - For most systems the OpenSSL Configure script knows what is needed to - build shared libraries for libcrypto and libssl. On these systems - the shared libraries will be created by default. This can be suppressed and - only static libraries created by using the "no-shared" option. On systems - where OpenSSL does not know how to build shared libraries the "no-shared" - option will be forced and only static libraries will be created. -[INSTALL snip] - -Hence directly modification the case to skip it. - -Upstream-Status: Inappropriate [OE Specific] - -Signed-off-by: Hongxu Jia ---- - test/recipes/01-test_symbol_presence.t | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/test/recipes/01-test_symbol_presence.t b/test/recipes/01-test_symbol_presence.t -index 7f2a2d7..0b93745 100644 ---- a/test/recipes/01-test_symbol_presence.t -+++ b/test/recipes/01-test_symbol_presence.t -@@ -14,8 +14,7 @@ use OpenSSL::Test::Utils; - - setup("test_symbol_presence"); - --plan skip_all => "Only useful when building shared libraries" -- if disabled("shared"); -+plan skip_all => "The case needs debug symbols then we just disable it"; - - my @libnames = ("crypto", "ssl"); - my $testcount = scalar @libnames; --- -2.7.4 - diff --git a/recipes-connectivity/openssl/openssl/afalg.patch b/recipes-connectivity/openssl/openssl/afalg.patch deleted file mode 100644 index b7c0e969..00000000 --- a/recipes-connectivity/openssl/openssl/afalg.patch +++ /dev/null @@ -1,31 +0,0 @@ -Don't refuse to build afalgeng if cross-compiling or the host kernel is too old. - -Upstream-Status: Submitted [hhttps://github.com/openssl/openssl/pull/7688] -Signed-off-by: Ross Burton - -diff --git a/Configure b/Configure -index 3baa8ce..9ef52ed 100755 ---- a/Configure -+++ b/Configure -@@ -1550,20 +1550,7 @@ unless ($disabled{"crypto-mdebug-backtrace"}) - unless ($disabled{afalgeng}) { - $config{afalgeng}=""; - if (grep { $_ eq 'afalgeng' } @{$target{enable}}) { -- my $minver = 4*10000 + 1*100 + 0; -- if ($config{CROSS_COMPILE} eq "") { -- my $verstr = `uname -r`; -- my ($ma, $mi1, $mi2) = split("\\.", $verstr); -- ($mi2) = $mi2 =~ /(\d+)/; -- my $ver = $ma*10000 + $mi1*100 + $mi2; -- if ($ver < $minver) { -- disable('too-old-kernel', 'afalgeng'); -- } else { -- push @{$config{engdirs}}, "afalg"; -- } -- } else { -- disable('cross-compiling', 'afalgeng'); -- } -+ push @{$config{engdirs}}, "afalg"; - } else { - disable('not-linux', 'afalgeng'); - } diff --git a/recipes-connectivity/openssl/openssl/reproducibility.patch b/recipes-connectivity/openssl/openssl/reproducibility.patch deleted file mode 100644 index 8accbc9d..00000000 --- a/recipes-connectivity/openssl/openssl/reproducibility.patch +++ /dev/null @@ -1,22 +0,0 @@ -Using localtime() means the output can depend on the timezone of the build machine. -Using gmtime() is safer. For complete reproducibility use SOURCE_DATE_EPOCH if set. - -Signed-off-by: Richard Purdie -Upstream-Status: Pending [should be suitable] - -Index: openssl-3.0.1/apps/progs.pl -=================================================================== ---- openssl-3.0.1.orig/apps/progs.pl -+++ openssl-3.0.1/apps/progs.pl -@@ -21,7 +21,10 @@ die "Unrecognised option, must be -C or - my %commands = (); - my $cmdre = qr/^\s*int\s+([a-z_][a-z0-9_]*)_main\(\s*int\s+argc\s*,/; - my $apps_openssl = shift @ARGV; --my $YEAR = [localtime()]->[5] + 1900; -+my $YEAR = [gmtime()]->[5] + 1900; -+if (defined($ENV{SOURCE_DATE_EPOCH}) && $ENV{SOURCE_DATE_EPOCH} !~ /\D/) { -+ $YEAR = [gmtime($ENV{SOURCE_DATE_EPOCH})]->[5] + 1900; -+} - - # because the program apps/openssl has object files as sources, and - # they then have the corresponding C files as source, we need to chain diff --git a/recipes-connectivity/openssl/openssl/reproducible.patch b/recipes-connectivity/openssl/openssl/reproducible.patch deleted file mode 100644 index a24260c9..00000000 --- a/recipes-connectivity/openssl/openssl/reproducible.patch +++ /dev/null @@ -1,32 +0,0 @@ -The value for perl_archname can vary depending on the host, e.g. -x86_64-linux-gnu-thread-multi or x86_64-linux-thread-multi which -makes the ptest package non-reproducible. Its unused other than -these references so drop it. - -RP 2020/2/6 - -Upstream-Status: Pending -Signed-off-by: Richard Purdie - -Index: openssl-1.1.1d/Configure -=================================================================== ---- openssl-1.1.1d.orig/Configure -+++ openssl-1.1.1d/Configure -@@ -286,7 +286,7 @@ if (defined env($local_config_envname)) - # Save away perl command information - $config{perl_cmd} = $^X; - $config{perl_version} = $Config{version}; --$config{perl_archname} = $Config{archname}; -+#$config{perl_archname} = $Config{archname}; - - $config{prefix}=""; - $config{openssldir}=""; -@@ -2517,7 +2517,7 @@ _____ - @{$config{perlargv}}), "\n"; - print "\nPerl information:\n\n"; - print ' ',$config{perl_cmd},"\n"; -- print ' ',$config{perl_version},' for ',$config{perl_archname},"\n"; -+ print ' ',$config{perl_version},"\n"; - } - if ($dump || $options) { - my $longest = 0; diff --git a/recipes-connectivity/openssl/openssl/run-ptest b/recipes-connectivity/openssl/openssl/run-ptest deleted file mode 100644 index 3fb22471..00000000 --- a/recipes-connectivity/openssl/openssl/run-ptest +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/sh - -set -e - -# Optional arguments are 'list' to lists all tests, or the test name (base name -# ie test_evp, not 03_test_evp.t). - -export TOP=. -# OPENSSL_ENGINES is relative from the test binaries -export OPENSSL_ENGINES=../engines - -perl ./test/run_tests.pl $* | perl -0pe 's#(.*) \.*.ok#PASS: \1#g; s#(.*) \.*.skipped: (.*)#SKIP: \1 (\2)#g; s#(.*) \.*.\nDubious#FAIL: \1#;' diff --git a/recipes-connectivity/openssl/openssl_1.1.1q.bb b/recipes-connectivity/openssl/openssl_1.1.1q.bb deleted file mode 100644 index 56a76e57..00000000 --- a/recipes-connectivity/openssl/openssl_1.1.1q.bb +++ /dev/null @@ -1,219 +0,0 @@ -SUMMARY = "Secure Socket Layer" -DESCRIPTION = "Secure Socket Layer (SSL) binary and related cryptographic tools." -HOMEPAGE = "http://www.openssl.org/" -BUGTRACKER = "http://www.openssl.org/news/vulnerabilities.html" -SECTION = "libs/network" - -# "openssl" here actually means both OpenSSL and SSLeay licenses apply -# (see meta/files/common-licenses/OpenSSL to which "openssl" is SPDXLICENSEMAPped) -LICENSE = "openssl" -LIC_FILES_CHKSUM = "file://LICENSE;md5=d343e62fc9c833710bbbed25f27364c8" - -DEPENDS = "hostperl-runtime-native" - -SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ - file://run-ptest \ - file://0001-skip-test_symbol_presence.patch \ - file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ - file://afalg.patch \ - file://reproducible.patch \ - file://reproducibility.patch \ - " - -SRC_URI:append:class-nativesdk = " \ - file://environment.d-openssl.sh \ - " - -SRC_URI[sha256sum] = "d7939ce614029cdff0b6c20f0e2e5703158a489a72b2507b8bd51bf8c8fd10ca" - -inherit lib_package multilib_header multilib_script ptest -MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" - -PACKAGECONFIG ?= "" -PACKAGECONFIG:class-native = "" -PACKAGECONFIG:class-nativesdk = "" - -PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module" - -B = "${WORKDIR}/build" -do_configure[cleandirs] = "${B}" - -#| ./libcrypto.so: undefined reference to `getcontext' -#| ./libcrypto.so: undefined reference to `setcontext' -#| ./libcrypto.so: undefined reference to `makecontext' -EXTRA_OECONF:append:libc-musl = " no-async" -EXTRA_OECONF:append:libc-musl:powerpc64 = " no-asm" - -# adding devrandom prevents openssl from using getrandom() which is not available on older glibc versions -# (native versions can be built with newer glibc, but then relocated onto a system with older glibc) -EXTRA_OECONF:class-native = "--with-rand-seed=os,devrandom" -EXTRA_OECONF:class-nativesdk = "--with-rand-seed=os,devrandom" - -# Relying on hardcoded built-in paths causes openssl-native to not be relocateable from sstate. -CFLAGS:append:class-native = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin" -CFLAGS:append:class-nativesdk = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin" - -do_configure () { - os=${HOST_OS} - case $os in - linux-gnueabi |\ - linux-gnuspe |\ - linux-musleabi |\ - linux-muslspe |\ - linux-musl ) - os=linux - ;; - *) - ;; - esac - target="$os-${HOST_ARCH}" - case $target in - linux-arm*) - target=linux-armv4 - ;; - linux-aarch64*) - target=linux-aarch64 - ;; - linux-i?86 | linux-viac3) - target=linux-x86 - ;; - linux-gnux32-x86_64 | linux-muslx32-x86_64 ) - target=linux-x32 - ;; - linux-gnu64-x86_64) - target=linux-x86_64 - ;; - linux-mips | linux-mipsel) - # specifying TARGET_CC_ARCH prevents openssl from (incorrectly) adding target architecture flags - target="linux-mips32 ${TARGET_CC_ARCH}" - ;; - linux-gnun32-mips*) - target=linux-mips64 - ;; - linux-*-mips64 | linux-mips64 | linux-*-mips64el | linux-mips64el) - target=linux64-mips64 - ;; - linux-microblaze* | linux-nios2* | linux-sh3 | linux-sh4 | linux-arc*) - target=linux-generic32 - ;; - linux-powerpc) - target=linux-ppc - ;; - linux-powerpc64) - target=linux-ppc64 - ;; - linux-powerpc64le) - target=linux-ppc64le - ;; - linux-riscv32) - target=linux-generic32 - ;; - linux-riscv64) - target=linux-generic64 - ;; - linux-sparc | linux-supersparc) - target=linux-sparcv9 - ;; - esac - - useprefix=${prefix} - if [ "x$useprefix" = "x" ]; then - useprefix=/ - fi - # WARNING: do not set compiler/linker flags (-I/-D etc.) in EXTRA_OECONF, as they will fully replace the - # environment variables set by bitbake. Adjust the environment variables instead. - HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="${S}/external/perl/Text-Template-1.46/lib/" \ - perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} --prefix=$useprefix --openssldir=${libdir}/ssl-1.1 --libdir=${libdir} $target - perl ${B}/configdata.pm --dump -} - -do_install () { - oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install - - oe_multilib_header openssl/opensslconf.h - - # Create SSL structure for packages such as ca-certificates which - # contain hard-coded paths to /etc/ssl. Debian does the same. - install -d ${D}${sysconfdir}/ssl - mv ${D}${libdir}/ssl-1.1/certs \ - ${D}${libdir}/ssl-1.1/private \ - ${D}${libdir}/ssl-1.1/openssl.cnf \ - ${D}${sysconfdir}/ssl/ - - # Although absolute symlinks would be OK for the target, they become - # invalid if native or nativesdk are relocated from sstate. - ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/certs')} ${D}${libdir}/ssl-1.1/certs - ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/private')} ${D}${libdir}/ssl-1.1/private - ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdir}/ssl-1.1/openssl.cnf -} - -do_install:append:class-native () { - create_wrapper ${D}${bindir}/openssl \ - OPENSSL_CONF=${libdir}/ssl-1.1/openssl.cnf \ - SSL_CERT_DIR=${libdir}/ssl-1.1/certs \ - SSL_CERT_FILE=${libdir}/ssl-1.1/cert.pem \ - OPENSSL_ENGINES=${libdir}/engines-1.1 -} - -do_install:append:class-nativesdk () { - mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d - install -m 644 ${WORKDIR}/environment.d-openssl.sh ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh - sed 's|/usr/lib/ssl/|/usr/lib/ssl-1.1/|g' -i ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh -} - -PTEST_BUILD_HOST_FILES += "configdata.pm" -PTEST_BUILD_HOST_PATTERN = "perl_version =" -do_install_ptest () { - # Prune the build tree - rm -f ${B}/fuzz/*.* ${B}/test/*.* - - cp ${S}/Configure ${B}/configdata.pm ${D}${PTEST_PATH} - cp -r ${S}/external ${B}/test ${S}/test ${B}/fuzz ${S}/util ${B}/util ${D}${PTEST_PATH} - - # For test_shlibload - ln -s ${libdir}/libcrypto.so.1.1 ${D}${PTEST_PATH}/ - ln -s ${libdir}/libssl.so.1.1 ${D}${PTEST_PATH}/ - - install -d ${D}${PTEST_PATH}/apps - ln -s ${bindir}/openssl ${D}${PTEST_PATH}/apps - install -m644 ${S}/apps/*.pem ${S}/apps/*.srl ${S}/apps/openssl.cnf ${D}${PTEST_PATH}/apps - install -m755 ${B}/apps/CA.pl ${D}${PTEST_PATH}/apps - - install -d ${D}${PTEST_PATH}/engines - install -m755 ${B}/engines/dasync.so ${D}${PTEST_PATH}/engines - install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines -} - -# Add the openssl.cnf file to the openssl-conf package. Make the libcrypto -# package RRECOMMENDS on this package. This will enable the configuration -# file to be installed for both the openssl-bin package and the libcrypto -# package since the openssl-bin package depends on the libcrypto package. - -PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc" - -FILES:libcrypto = "${libdir}/libcrypto${SOLIBS}" -FILES:libssl = "${libdir}/libssl${SOLIBS}" -FILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf \ - ${libdir}/ssl-1.1/openssl.cnf* \ - " -FILES:${PN}-engines = "${libdir}/engines-1.1" -FILES:${PN}-misc = "${libdir}/ssl-1.1/misc" -FILES:${PN} =+ "${libdir}/ssl-1.1/*" -FILES:${PN}:append:class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh" - -CONFFILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf" - -RRECOMMENDS:libcrypto += "openssl-conf" -RDEPENDS:${PN}-ptest += "openssl-bin perl perl-modules bash" - -RDEPENDS:${PN}-bin += "openssl-conf" - -BBCLASSEXTEND = "native nativesdk" - -CVE_PRODUCT = "openssl:openssl" - -CVE_VERSION_SUFFIX = "alphabetical" - -# Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37 -# Apache in meta-webserver is already recent enough -CVE_CHECK_IGNORE += "CVE-2019-0190" diff --git a/recipes-trustx/userdata/pki-native.bb b/recipes-trustx/userdata/pki-native.bb index 4410203f..c356d759 100644 --- a/recipes-trustx/userdata/pki-native.bb +++ b/recipes-trustx/userdata/pki-native.bb @@ -1,22 +1,24 @@ LICENSE = "GPL-2.0-only" LIC_FILES_CHKSUM = "file://${TOPDIR}/../trustme/build/COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" +inherit externalsrc + SRC = "${TOPDIR}/../trustme/build/" +EXTERNALSRC = "${SRC}" -CFG_OVERLAY_DIR = "${SRC}/config_overlay" -CONFIG_CREATOR_DIR = "${SRC}/config_creator" -PROTO_FILE_DIR = "${WORKDIR}/cml/daemon" -PROVISIONING_DIR = "${SRC}/device_provisioning" +CFG_OVERLAY_DIR = "${S}/config_overlay" +CONFIG_CREATOR_DIR = "${S}/config_creator" +PROVISIONING_DIR = "${S}/device_provisioning" ENROLLMENT_DIR = "${PROVISIONING_DIR}/oss_enrollment" TEST_CERT_DIR = "${TOPDIR}/test_certificates" +inherit native + DEPENDS = "openssl-native" -inherit native +SSTATE_SKIP_CREATION = "1" do_compile() { - #TODO Find cleaner way to do this - # random string to ignore SSTATE_MIRROR if [ ! -f ${TEST_CERT_DIR}.generating ]; then touch ${TEST_CERT_DIR}.generating export DO_PLATFORM_KEYS=${PKI_UEFI_KEYS} @@ -33,3 +35,17 @@ do_compile() { rm ${TEST_CERT_DIR}.generating fi } + +do_clean() { + if [ -f ${TEST_CERT_DIR}.generating ]; then + rm ${TEST_CERT_DIR}.generating + fi + if [ -d ${TEST_CERT_DIR} ]; then + rm -r ${TEST_CERT_DIR} + fi + if [ -n "`ls ${ENROLLMENT_DIR}/certificates/ | egrep *.txt*`" ]; then + for txt in ${ENROLLMENT_DIR}/certificates/*.txt*; do + rm ${txt} + done + fi +} diff --git a/recipes-tss/openssl-tpm2-engine/openssl-tpm2-engine/Cross-compile-compatible-enginesdir-variable_4.0.1.patch b/recipes-tss/openssl-tpm2-engine/openssl-tpm2-engine/Cross-compile-compatible-enginesdir-variable_4.0.1.patch new file mode 100644 index 00000000..566a5c7b --- /dev/null +++ b/recipes-tss/openssl-tpm2-engine/openssl-tpm2-engine/Cross-compile-compatible-enginesdir-variable_4.0.1.patch @@ -0,0 +1,88 @@ +From d04f8e55793fef8c43718b2968cb9bd877cd57eb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Michael=20Wei=C3=9F?= +Date: Wed, 9 Aug 2023 14:23:25 +0200 +Subject: [PATCH] Cross-compile compatible enginesdir variable + +Get enginesdir from pkg-config instead of non portable use of gcc. +Further provide a --with-engingesdir option for configure. +--- + configure.ac | 42 ++++++++++++++---------------------------- + src/engine/Makefile.am | 2 +- + 2 files changed, 15 insertions(+), 29 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 9e74274..3423aa7 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -55,41 +55,27 @@ PKG_CHECK_MODULES([DEPS], [libcrypto >= 3.0.0], + [ac_have_openssl3=1], + [PKG_CHECK_MODULES([DEPS], [libcrypto])]) + +-AC_ARG_WITH( +- [enginesdir], +- [AC_HELP_STRING([--with-enginesdir], [OpenSSL engines directory])], +- [enginesdir="${withval}"], +- [AC_LANG_CONFTEST([AC_LANG_PROGRAM( +- [[ +- #define HEADER_CRYPTLIB_H +- #include +- #include +- ]], +- [[ +- #if OPENSSL_VERSION_NUMBER < 0x10100000 +- puts(ENGINESDIR); +- #else +- puts(OpenSSL_version(OPENSSL_ENGINES_DIR)); +- #endif +- ]] +- )]) +- gcc $CFLAGS conftest.c -lcrypto +- enginesdir=`./a.out|sed 's/ENGINESDIR: //'` +- ] +- ) +- +-if test -z "$enginesdir" ; then +- AC_MSG_FAILURE([Failed to find SSL engines directory]) +-fi ++AC_ARG_WITH([enginesdir], ++ [AS_HELP_STRING([--with-enginesdir], ++ [Set the OpenSSL engine directory (default: use pkg-config)])], ++ [], ++ [with_enginesdir=$ac_enginesdir]) ++AS_IF([test -z "$with_enginesdir"], ++ [AC_MSG_WARN([Empty enginesdir, using $libdir/engines instead.])]) ++# This weirdness is necessary to enable distcheck via DISTCHECK_CONFIGURE_FLAGS ++AS_IF([test -z "$with_enginesdir"], ++ [with_enginesdir=$libdir/engines]) + + if test "$ac_have_openssl3" = "1"; then + modulesdir=\"`$PKG_CONFIG --variable=modulesdir libcrypto`\" + AC_SUBST(modulesdir) + fi + +-AC_SUBST(enginesdir) ++AC_SUBST(ENGINESDIR, "$with_enginesdir") ++ ++PKG_CHECK_MODULES([DEPS], [libcrypto], ++ [ac_enginesdir=`$PKG_CONFIG --variable=enginesdir libcrypto`]) + +-PKG_CHECK_MODULES([DEPS], [libcrypto]) + + AC_SEARCH_LIBS([TSS_Create], [tss ibmtss], [ + AC_DEFINE(HAVE_IBM_TSS, 1, [Defined if we have the IBM TSS]) +diff --git a/src/engine/Makefile.am b/src/engine/Makefile.am +index 9ce2a25..a2a0cad 100644 +--- a/src/engine/Makefile.am ++++ b/src/engine/Makefile.am +@@ -1,7 +1,7 @@ + AM_CPPFLAGS = -I ../include ${DEPRECATION} + + openssl_engine_LTLIBRARIES=libtpm2.la +-openssl_enginedir=@enginesdir@ ++openssl_enginedir=$(ENGINESDIR) + + COMMONLIB = ../libcommon/libcommon.a + +-- +2.30.2 + diff --git a/recipes-tss/openssl-tpm2-engine/openssl-tpm2-engine/Makefile.am-Use-src_topdir-instead-of-relative-inclu_4.0.1.patch b/recipes-tss/openssl-tpm2-engine/openssl-tpm2-engine/Makefile.am-Use-src_topdir-instead-of-relative-inclu_4.0.1.patch new file mode 100644 index 00000000..a9bc483a --- /dev/null +++ b/recipes-tss/openssl-tpm2-engine/openssl-tpm2-engine/Makefile.am-Use-src_topdir-instead-of-relative-inclu_4.0.1.patch @@ -0,0 +1,76 @@ +From 1060c0df7274e3dcdc67f73f03affb29239301bc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Michael=20Wei=C3=9F?= +Date: Thu, 10 Aug 2023 11:21:43 +0200 +Subject: [PATCH] Makefile.am: Use src_topdir instead of relative include dir + +This allows to compile in seperate build directory. Otherwise +headers in src/include dir would not be found. Since the src/include +dir is not availabble in the build directory. +--- + src/engine/Makefile.am | 2 +- + src/libcommon/Makefile.am | 2 +- + src/opensslmissing/Makefile.am | 2 +- + src/provider/Makefile.am | 2 +- + src/tools/Makefile.am | 2 +- + 5 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/engine/Makefile.am b/src/engine/Makefile.am +index a2a0cad..f9dc402 100644 +--- a/src/engine/Makefile.am ++++ b/src/engine/Makefile.am +@@ -1,4 +1,4 @@ +-AM_CPPFLAGS = -I ../include ${DEPRECATION} ++AM_CPPFLAGS = -I $(top_srcdir)/src/include ${DEPRECATION} + + openssl_engine_LTLIBRARIES=libtpm2.la + openssl_enginedir=$(ENGINESDIR) +diff --git a/src/libcommon/Makefile.am b/src/libcommon/Makefile.am +index ad566ff..00362ae 100644 +--- a/src/libcommon/Makefile.am ++++ b/src/libcommon/Makefile.am +@@ -1,6 +1,6 @@ + noinst_LIBRARIES = libcommon.a + +-AM_CPPFLAGS = -I ../include/ ${DEPRECATION} ++AM_CPPFLAGS = -I $(top_srcdir)/src/include/ ${DEPRECATION} + + libcommon_a_SOURCES = tpm2-common.c + libcommon_a_CFLAGS = -fPIC +diff --git a/src/opensslmissing/Makefile.am b/src/opensslmissing/Makefile.am +index bc4243a..a829d4a 100644 +--- a/src/opensslmissing/Makefile.am ++++ b/src/opensslmissing/Makefile.am +@@ -1,6 +1,6 @@ + noinst_LIBRARIES = libosslm.a + +-AM_CPPFLAGS = -I ../include ++AM_CPPFLAGS = -I $(top_srcdir)/src/include + + if HAVE_OPENSSL3 + libosslm_a_SOURCES = rsa.c signature.c +diff --git a/src/provider/Makefile.am b/src/provider/Makefile.am +index 5ff91cf..ca6966c 100644 +--- a/src/provider/Makefile.am ++++ b/src/provider/Makefile.am +@@ -1,4 +1,4 @@ +-AM_CPPFLAGS=-I../include ++AM_CPPFLAGS = -I $(top_srcdir)/src/include + COMMONLIB = ../libcommon/libcommon.a ../opensslmissing/libosslm.a + + if HAVE_OPENSSL3 +diff --git a/src/tools/Makefile.am b/src/tools/Makefile.am +index 62fb329..e42e0d2 100644 +--- a/src/tools/Makefile.am ++++ b/src/tools/Makefile.am +@@ -7,7 +7,7 @@ man1_MANS = create_tpm2_key.1 load_tpm2_key.1 seal_tpm2_data.1 \ + CLEANFILES = $(man1_MANS) + endif + +-AM_CPPFLAGS = -I ../include ${DEPRECATION} ++AM_CPPFLAGS = -I $(top_srcdir)/src/include ${DEPRECATION} + + bin_PROGRAMS=create_tpm2_key load_tpm2_key seal_tpm2_data unseal_tpm2_data \ + signed_tpm2_policy +-- +2.30.2 + diff --git a/recipes-tss/openssl-tpm2-engine/openssl-tpm2-engine/src-provider-keymgmt-initialize-order-in-tpm2_keymgm_4.0.1.patch b/recipes-tss/openssl-tpm2-engine/openssl-tpm2-engine/src-provider-keymgmt-initialize-order-in-tpm2_keymgm_4.0.1.patch new file mode 100644 index 00000000..75bc35e7 --- /dev/null +++ b/recipes-tss/openssl-tpm2-engine/openssl-tpm2-engine/src-provider-keymgmt-initialize-order-in-tpm2_keymgm_4.0.1.patch @@ -0,0 +1,26 @@ +From fab9a93bc950983fb724355e60ce5418cafdd520 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Michael=20Wei=C3=9F?= +Date: Thu, 10 Aug 2023 13:08:10 +0200 +Subject: [PATCH] src/provider/keymgmt: initialize order in + tpm2_keymgmt_import() + +--- + src/provider/keymgmt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/provider/keymgmt.c b/src/provider/keymgmt.c +index aa9c120..31929da 100644 +--- a/src/provider/keymgmt.c ++++ b/src/provider/keymgmt.c +@@ -177,7 +177,7 @@ static int tpm2_keymgmt_import(void *key, int selection, + EC_POINT *pt; + BIGNUM *x, *y; + TPMS_ECC_POINT *tpt = &ad->Public.publicArea.unique.ecc; +- int order; ++ int order = 0; + int ret = 1; + + if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) == 0) +-- +2.30.2 + diff --git a/recipes-tss/openssl-tpm2-engine/openssl-tpm2-engine_4.0.1.bb b/recipes-tss/openssl-tpm2-engine/openssl-tpm2-engine_4.0.1.bb new file mode 100644 index 00000000..7fa17faf --- /dev/null +++ b/recipes-tss/openssl-tpm2-engine/openssl-tpm2-engine_4.0.1.bb @@ -0,0 +1,49 @@ +SUMMARY = "TPM2 engine and key creation tools for openssl" +DESCRIPTION = "This package contains 2 sets of code, a command-line utility used to \ +generate a TSS key blob and write it to disk and an OpenSSL engine which \ +interfaces with the TSS API. Because this application uses the TPM \ +cryptographically, it must be build with the IBM TSS." + +HOMEPAGE = "https://git.kernel.org/pub/scm/linux/kernel/git/jejb/openssl_tpm2_engine.git/" +LICENSE = "LGPL-2.1-only" + +DEPENDS = "openssl ibmtss2" + +RDEPENDS:${PN} += "openssl libgcc" + +EXTRA_OECONF = "--with-openssl=${RECIPE_SYSROOT}/usr" + +TAR_N = "openssl_tpm2_engine" + +LIC_FILES_CHKSUM = "file://LICENSE;md5=a055871bc591288e6970672b3ff8736d" +SRC_URI = "https://git.kernel.org/pub/scm/linux/kernel/git/jejb/${TAR_N}.git/snapshot/${TAR_N}-${PV}.tar.gz \ + file://Cross-compile-compatible-enginesdir-variable_${PV}.patch \ + file://Makefile.am-Use-src_topdir-instead-of-relative-inclu_${PV}.patch \ + file://src-provider-keymgmt-initialize-order-in-tpm2_keymgm_${PV}.patch \ +" + +S = "${WORKDIR}/${TAR_N}-${PV}" + +EXTRA_OEMAKE = "-I ${S}/src/include" + +SRC_URI[md5sum] = "587c08c6c75a7318f0f1d2faaa210385" +SRC_URI[sha256sum] = "42fcecaf40945ae9603b93bc1e63a48b62ac1b25f9b4375c3b67dac9d5bf1ea7" + +inherit autotools pkgconfig + +do_configure:prepend() { + touch ${S}/NEWS + touch ${S}/AUTHORS + touch ${S}/ChangeLog + cp ${S}/LICENSE ${S}/COPYING +} + +do_install:append() { + install -d ${D}${libdir}/engines-3.0 + mv ${D}${libdir}/engines/libtpm2.so ${D}${libdir}/engines-3.0/tpm2.so + rm ${D}${libdir}/engines/tpm2.so + rm -r ${D}${libdir}/ossl-modules +} + +FILES:${PN} += "${libdir}/*" +FILES:${PN} += "${bindir}/*"