From 18e7be8ab7d5110577d97d1b4d1e24cc11082fe7 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Tue, 2 Apr 2024 17:06:12 -0400 Subject: [PATCH 1/6] Makefile: add real.gitclean target which calls 'git clean -fxd' Ease cleaning up everything. IMOH better then real.clean target Signed-off-by: Thierry Laurion --- Makefile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Makefile b/Makefile index a64d4b09f..4f113d9c9 100644 --- a/Makefile +++ b/Makefile @@ -793,3 +793,5 @@ real.clean: fi; \ done cd install && rm -rf -- * +real.gitclean: + git clean -fxd From d7915e16391216f27175bfd15d8d1d2dd838101f Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Wed, 27 Mar 2024 16:14:31 -0400 Subject: [PATCH 2/6] OpenSSL (libcrypto): patch so that crypto/buildinfo.h generated by perl script contains reproducible date and fake compiler_flags hardcode VERSION='reproducible_build' into generated configure script to get rid of generate random git abbrev 8/12 chars (could not find source) patches/openssl-3.0.8.patch: clean up tpm2-tools/tpm2-tss: hack configure scripts to not contain hardcoded libs and other rpath related strings, using sed instead of patching configure script like cryptsetup2 patch Will be clened up in other commits. Leaving here as trace for autotools sed patching for reproducible builds. CircleCI: change working dir from project->heads so that CircleCI and local builds are from heads directory, helping reproducible builds TODO: change other patches a well and generalize to gpg toolstack, removing patches that are a maintainership burden. Signed-off-by: Thierry Laurion --- .circleci/config.yml | 17 ++++++++++------- modules/tpm2-tools | 13 ++++++++++++- modules/tpm2-tss | 14 ++++++++++++++ patches/openssl-3.0.8.patch | 35 +++++++++++++++++++++++++++++++++++ 4 files changed, 71 insertions(+), 8 deletions(-) create mode 100644 patches/openssl-3.0.8.patch diff --git a/.circleci/config.yml b/.circleci/config.yml index d0bff5776..303e11219 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -45,6 +45,7 @@ jobs: docker: - image: debian:11 resource_class: large + working_directory: ~/heads steps: - run: name: Install dependencies @@ -53,7 +54,6 @@ jobs: apt update apt install -y build-essential zlib1g-dev uuid-dev libdigest-sha-perl libelf-dev bc bzip2 bison flex git gnupg gawk iasl m4 nasm patch python python2 python3 wget gnat cpio ccache pkg-config cmake libusb-1.0-0-dev autoconf texinfo ncurses-dev doxygen graphviz udev libudev1 libudev-dev automake libtool rsync innoextract sudo imagemagick libncurses5-dev - checkout - - run: name: git reset command: | @@ -120,6 +120,7 @@ jobs: docker: - image: debian:11 resource_class: large + working_directory: ~/heads parameters: arch: type: string @@ -138,15 +139,16 @@ jobs: - persist_to_workspace: root: ~/ paths: - - project/packages/<> - - project/build/<> - - project/crossgcc/<> - - project/install/<> + - heads/packages/<> + - heads/build/<> + - heads/crossgcc/<> + - heads/install/<> build: docker: - image: debian:11 resource_class: large + working_directory: ~/heads parameters: arch: type: string @@ -167,6 +169,7 @@ jobs: docker: - image: debian:11 resource_class: large + working_directory: ~/heads steps: - attach_workspace: at: ~/ @@ -236,13 +239,12 @@ workflows: # since kernel is 6.x and coreboot is git is unshared # We use nitropad's coreboot's fork crossgcc # No need to wait further for other board's cache. - # We reuse built modules from x230-hotp-maximized cache only - build_and_persist: name: nitropad-nv41 target: nitropad-nv41 subcommand: "" requires: - - x230-hotp-maximized + - prep_env # coreboot-git Talos II (PPC) - build_and_persist: @@ -527,3 +529,4 @@ workflows: # path: build/UNMAINTAINED_qemu-linuxboot/linuxboot.rom # - store-artifacts: # path: build/UNMAINTAINED_qemu-linuxboot/hashes.txt + diff --git a/modules/tpm2-tools b/modules/tpm2-tools index 98711195a..7407dae0c 100644 --- a/modules/tpm2-tools +++ b/modules/tpm2-tools @@ -18,7 +18,18 @@ tpm2-tools_url := https://github.com/tpm2-software/tpm2-tools/releases/download/ tpm2-tools_hash := c0b402f6a7b3456e8eb2445211e2d41c46c7e769e05fe4d8909ff64119f7a630 # we have ESYS 3.0, but it doesn't figure that out on its own -tpm2-tools_configure := ./bootstrap && ./configure \ +tpm2-tools_configure := \ + ./bootstrap \ + && sed -i 's/hardcode_direct=yes/hardcode_direct=no/g' configure \ + && sed -i 's/hardcode_libdir_flag_spec=.*/hardcode_libdir_flag_spec=" "/' configure \ + && sed -i 's/hardcode_minus_L=yes/hardcode_minus_L=no/g' configure \ + && sed -i 's/hardcode_automatic=yes/hardcode_automatic=no/g' configure \ + && sed -i 's/hardcode_runpath_var=yes/hardcode_runpath_var=no/g' configure \ + && sed -i 's/hardcode_into_libs=yes/hardcode_into_libs=no/g' configure \ + && sed -i 's/hardcode_direct_absolute=yes/hardcode_direct_absolute=no/g' configure \ + && sed -i 's/inherit_rpath=yes/inherit_rpath=no/g' configure \ + && sed -i "s/VERSION='.*'/VERSION='reproducible_build'/g" configure \ + && ./configure \ $(CROSS_TOOLS) \ --host $(MUSL_ARCH)-elf-linux \ --prefix "/" \ diff --git a/modules/tpm2-tss b/modules/tpm2-tss index 0fad79ef5..eb5af1b47 100644 --- a/modules/tpm2-tss +++ b/modules/tpm2-tss @@ -8,6 +8,20 @@ tpm2-tss_url := https://github.com/tpm2-software/tpm2-tss/releases/download/$(tp tpm2-tss_hash := 48305e4144dcf6d10f3b25b7bccf0189fd2d1186feafd8cd68c6b17ecf0d7912 tpm2-tss_configure := aclocal && automake --add-missing && autoreconf -fi \ + && sed -i 's/hardcode_direct=yes/hardcode_direct=no/g' configure \ + && sed -i 's/hardcode_libdir_flag_spec=.*/hardcode_libdir_flag_spec=" "/' configure \ + && sed -i 's/hardcode_minus_L=yes/hardcode_minus_L=no/g' configure \ + && sed -i 's/hardcode_direct_absolute=yes/hardcode_direct_absolute=no/g' configure \ + && sed -i 's/hardcode_into_libs=yes/hardcode_into_libs=no/g' configure \ + && sed -i 's/hardcode_libdir_flag_spec_CXX=.*/hardcode_libdir_flag_spec_CXX=" "/' configure \ + && sed -i 's/hardcode_automatic=yes/hardcode_automatic=no/g' configure \ + && sed -i 's/hardcode_runpath_var=yes/hardcode_runpath_var=no/g' configure \ + && sed -i 's/hardcode_direct_CXX=yes/hardcode_direct_CXX=no/g' configure \ + && sed -i 's/hardcode_direct_absolute_CXX=yes/hardcode_direct_absolute_CXX=no/g' configure \ + && sed -i 's/hardcode_minus_L_CXX=yes/hardcode_minus_L_CXX=no/g' configure \ + && sed -i 's/hardcode_automatic_CXX=yes/hardcode_automatic_CXX=no/g' configure \ + && sed -i 's/inherit_rpath=yes/inherit_rpath=no/g' configure \ + && sed -i 's/inherit_rpath_CXX=yes/inherit_rpath_CXX=no/g' configure \ && ./configure \ $(CROSS_TOOLS) \ --host $(MUSL_ARCH)-elf-linux \ diff --git a/patches/openssl-3.0.8.patch b/patches/openssl-3.0.8.patch new file mode 100644 index 000000000..db4e79e4d --- /dev/null +++ b/patches/openssl-3.0.8.patch @@ -0,0 +1,35 @@ +--- ./util/mkbuildinf.pl.orig 2023-02-07 08:43:33.000000000 -0500 ++++ ./util/mkbuildinf.pl 2024-03-27 14:36:49.974651246 -0400 +@@ -12,7 +12,7 @@ + my ($cflags, $platform) = @ARGV; + $cflags = "compiler: $cflags"; + +-my $date = gmtime($ENV{'SOURCE_DATE_EPOCH'} || time()) . " UTC"; ++my $date = gmtime($ENV{'SOURCE_DATE_EPOCH'} || '0') . " UTC"; + + print <<"END_OUTPUT"; + /* +@@ -36,21 +36,7 @@ + * literal + */ + static const char compiler_flags[] = { +-END_OUTPUT +- +-my $ctr = 0; +-foreach my $c (split //, $cflags) { +- $c =~ s|([\\'])|\\$1|; +- # Max 16 characters per line +- if (($ctr++ % 16) == 0) { +- if ($ctr != 1) { +- print "\n"; +- } +- print " "; +- } +- print "'$c',"; +-} +-print <<"END_OUTPUT"; +-'\\0' ++ 'r','e','p','r','o','d','u','c','i','b','l','e',' ','b','u','i', ++ 'l','d','\\0' + }; + END_OUTPUT From ddef2337083206a2811cc20bf98afc4145a55988 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Tue, 2 Apr 2024 12:18:39 -0400 Subject: [PATCH 3/6] modules-tpm2-tools: bump from 5.2->5.6 (removes need to hack around PACKAGE_VERSION string which configure.ac points to ./VERSION already tpm2-tools-5.6 patch: comment out git versioning output under ./VERSION; module: output current version under ./VERSION instead. Document under module Signed-off-by: Thierry Laurion --- modules/tpm2-tools | 26 ++++++++++------------ patches/tpm2-tools-5.2.patch | 33 ---------------------------- patches/tpm2-tools-5.6.patch | 42 ++++++++++++++++++++++++++++++++++++ 3 files changed, 53 insertions(+), 48 deletions(-) delete mode 100644 patches/tpm2-tools-5.2.patch create mode 100644 patches/tpm2-tools-5.6.patch diff --git a/modules/tpm2-tools b/modules/tpm2-tools index 7407dae0c..df06afaf3 100644 --- a/modules/tpm2-tools +++ b/modules/tpm2-tools @@ -8,34 +8,30 @@ ifeq "$(CONFIG_TPM2_TOOLS)" "y" export CONFIG_TPM=y endif -tpm2-tools_version := 5.2 +tpm2-tools_version := 5.6 #tpm2-tools_version := 78a7681 #tpm2-tools_repo := https://github.com/tpm2-software/tpm2-tools.git tpm2-tools_dir := tpm2-tools-$(tpm2-tools_version) tpm2-tools_tar := tpm2-tools-$(tpm2-tools_version).tar.gz tpm2-tools_url := https://github.com/tpm2-software/tpm2-tools/releases/download/$(tpm2-tools_version)/$(tpm2-tools_tar) -tpm2-tools_hash := c0b402f6a7b3456e8eb2445211e2d41c46c7e769e05fe4d8909ff64119f7a630 +tpm2-tools_hash := 52c8bcbaadca082abfe5eb7ee4967d2d632d84b1677675f2f071b6d2ec22cec3 -# we have ESYS 3.0, but it doesn't figure that out on its own +#tpm2-tools 5.6 adds release version based on git, while tarball downloaded doesn't include any .git +# the patch comments out git output to ./VERSION, and we fill it here based on this Makefile's version +#tpm2-tools doesn't play nice with reproducible builds, hardcoding lib paths without providing a configure option to remove rpaths +# We make sure no hardcoding of libdir flags exist in configure script prior of calling the script with sed call +# We pass additional remapping of prefix-map from $INSTALL to local dir tpm2-tools_configure := \ - ./bootstrap \ - && sed -i 's/hardcode_direct=yes/hardcode_direct=no/g' configure \ - && sed -i 's/hardcode_libdir_flag_spec=.*/hardcode_libdir_flag_spec=" "/' configure \ - && sed -i 's/hardcode_minus_L=yes/hardcode_minus_L=no/g' configure \ - && sed -i 's/hardcode_automatic=yes/hardcode_automatic=no/g' configure \ - && sed -i 's/hardcode_runpath_var=yes/hardcode_runpath_var=no/g' configure \ - && sed -i 's/hardcode_into_libs=yes/hardcode_into_libs=no/g' configure \ - && sed -i 's/hardcode_direct_absolute=yes/hardcode_direct_absolute=no/g' configure \ - && sed -i 's/inherit_rpath=yes/inherit_rpath=no/g' configure \ - && sed -i "s/VERSION='.*'/VERSION='reproducible_build'/g" configure \ + echo "$(tpm2-tools_version)" > ./VERSION \ + && ./bootstrap \ + && sed -i 's/hardcode_libdir_flag_spec=.*/hardcode_libdir_flag_spec=/' configure \ && ./configure \ $(CROSS_TOOLS) \ --host $(MUSL_ARCH)-elf-linux \ --prefix "/" \ --disable-fapi \ - TSS2_ESYS_3_0_CFLAGS="-I$(INSTALL)/include" \ - TSS2_ESYS_3_0_LIBS="-ltss2-esys" \ + CFLAGS="-fdebug-prefix-map=$(INSTALL)=." \ tpm2-tools_target := $(MAKE_JOBS) \ DESTDIR="$(INSTALL)" \ diff --git a/patches/tpm2-tools-5.2.patch b/patches/tpm2-tools-5.2.patch deleted file mode 100644 index f4720f230..000000000 --- a/patches/tpm2-tools-5.2.patch +++ /dev/null @@ -1,33 +0,0 @@ -diff --git a/Makefile.am b/Makefile.am -index 7132215..32e2193 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -93,7 +93,7 @@ tss2_tools = \ - - # Bundle all the tools into a single program similar to busybox - bin_PROGRAMS += tools/tpm2 --tools_tpm2_LDADD = $(LDADD) $(CURL_LIBS) -+tools_tpm2_LDADD = $(LDADD) - tools_tpm2_CFLAGS = $(AM_CFLAGS) -DTPM2_TOOLS_MAX="$(words $(tpm2_tools))" - tools_tpm2_SOURCES = \ - tools/tpm2_tool.c \ -@@ -127,7 +127,6 @@ tpm2_tools = \ - tools/tpm2_encryptdecrypt.c \ - tools/tpm2_evictcontrol.c \ - tools/tpm2_flushcontext.c \ -- tools/tpm2_getekcertificate.c \ - tools/tpm2_getrandom.c \ - tools/tpm2_gettime.c \ - tools/tpm2_hash.c \ -diff --git a/configure.ac b/configure.ac -index f1c1711..7279baa 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -59,7 +59,6 @@ PKG_CHECK_MODULES([TSS2_MU], [tss2-mu]) - PKG_CHECK_MODULES([TSS2_RC], [tss2-rc]) - PKG_CHECK_MODULES([TSS2_SYS], [tss2-sys]) - PKG_CHECK_MODULES([CRYPTO], [libcrypto >= 1.1.0]) --PKG_CHECK_MODULES([CURL], [libcurl]) - - # pretty print of devicepath if efivar library is present - PKG_CHECK_MODULES([EFIVAR], [efivar],,[true]) diff --git a/patches/tpm2-tools-5.6.patch b/patches/tpm2-tools-5.6.patch new file mode 100644 index 000000000..991d0791c --- /dev/null +++ b/patches/tpm2-tools-5.6.patch @@ -0,0 +1,42 @@ +--- ./bootstrap.orig 2023-11-08 02:19:36.000000000 -0500 ++++ ./bootstrap 2024-04-03 12:18:46.722995465 -0400 +@@ -5,7 +5,7 @@ + + # Generate a VERSION file that is included in the dist tarball to avoid needed git + # when calling autoreconf in a release tarball. +-git describe --tags --always --dirty > VERSION ++#git describe --tags --always --dirty > VERSION + + # generate list of source files for use in Makefile.am + # if you add new source files, you must run ./bootstrap again +diff --git a/Makefile.am b/Makefile.am +index 7132215..32e2193 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -93,7 +93,7 @@ tss2_tools = \ + + # Bundle all the tools into a single program similar to busybox + bin_PROGRAMS += tools/tpm2 +-tools_tpm2_LDADD = $(LDADD) $(CURL_LIBS) ++tools_tpm2_LDADD = $(LDADD) + tools_tpm2_CFLAGS = $(AM_CFLAGS) -DTPM2_TOOLS_MAX="$(words $(tpm2_tools))" + tools_tpm2_SOURCES = \ + tools/tpm2_tool.c \ +@@ -127,7 +127,6 @@ tpm2_tools = \ + tools/tpm2_encryptdecrypt.c \ + tools/tpm2_evictcontrol.c \ + tools/tpm2_flushcontext.c \ +- tools/tpm2_getekcertificate.c \ + tools/tpm2_getrandom.c \ + tools/tpm2_gettime.c \ + tools/tpm2_hash.c \ +--- ./configure.ac.orig 2023-11-08 02:19:36.000000000 -0500 ++++ ./configure.ac 2024-04-02 12:05:00.270985575 -0400 +@@ -80,7 +80,6 @@ + AC_CHECK_LIB(crypto, [EVP_sm4_cfb128], [ + AC_DEFINE([HAVE_EVP_SM4_CFB], [1], [Support EVP_sm4_cfb in openssl])], + []) +-PKG_CHECK_MODULES([CURL], [libcurl]) + + # pretty print of devicepath if efivar library is present + # auto detect if not specified via the --with-efivar option. From 8208c86efefa5df2e28f63417fba86b8e09ff8c1 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Tue, 2 Apr 2024 16:02:13 -0400 Subject: [PATCH 4/6] modules/tpm2-tss: sed configure script to remove hardcoding of libs, move patch 3.2.0->3.2.2 disable static lib builds Signed-off-by: Thierry Laurion --- modules/tpm2-tss | 26 ++++++++----------- ...2-tss-3.2.0.patch => tpm2-tss-3.2.2.patch} | 0 2 files changed, 11 insertions(+), 15 deletions(-) rename patches/{tpm2-tss-3.2.0.patch => tpm2-tss-3.2.2.patch} (100%) diff --git a/modules/tpm2-tss b/modules/tpm2-tss index eb5af1b47..3795e21f5 100644 --- a/modules/tpm2-tss +++ b/modules/tpm2-tss @@ -1,27 +1,22 @@ # TPM2 TSS library modules-$(CONFIG_TPM2_TSS) += tpm2-tss -tpm2-tss_version := 3.2.0 +tpm2-tss_version := 3.2.2 tpm2-tss_dir := tpm2-tss-$(tpm2-tss_version) tpm2-tss_tar := tpm2-tss-$(tpm2-tss_version).tar.gz tpm2-tss_url := https://github.com/tpm2-software/tpm2-tss/releases/download/$(tpm2-tss_version)/$(tpm2-tss_tar) -tpm2-tss_hash := 48305e4144dcf6d10f3b25b7bccf0189fd2d1186feafd8cd68c6b17ecf0d7912 +tpm2-tss_hash := ba9e52117f254f357ff502e7d60fce652b3bfb26327d236bbf5ab634235e40f1 +#Repro checks: +# find build/x86/tpm2-tss-3.2.2/src/*/.libs/libtss2-*so* | while read file; do echo "library $file:"; strings $file|grep heads; done +# Should not return any result + +#NEEDED otherwise output on previous command +#sed -i 's/hardcode_into_libs=yes/hardcode_into_libs=no/g' configure +# needed otherwise library build/x86/tpm2-tss-3.2.2/src/tss2-tcti/.libs/libtss2-tcti-pcap.so.0.0.0: +# contains: /home/user/heads/build/x86/tpm2-tss-3.2.2/src/tss2-tcti/.libs:/home/user/heads/build/x86/tpm2-tss-3.2.2/src/tss2-mu/.libs://lib tpm2-tss_configure := aclocal && automake --add-missing && autoreconf -fi \ - && sed -i 's/hardcode_direct=yes/hardcode_direct=no/g' configure \ - && sed -i 's/hardcode_libdir_flag_spec=.*/hardcode_libdir_flag_spec=" "/' configure \ - && sed -i 's/hardcode_minus_L=yes/hardcode_minus_L=no/g' configure \ - && sed -i 's/hardcode_direct_absolute=yes/hardcode_direct_absolute=no/g' configure \ && sed -i 's/hardcode_into_libs=yes/hardcode_into_libs=no/g' configure \ - && sed -i 's/hardcode_libdir_flag_spec_CXX=.*/hardcode_libdir_flag_spec_CXX=" "/' configure \ - && sed -i 's/hardcode_automatic=yes/hardcode_automatic=no/g' configure \ - && sed -i 's/hardcode_runpath_var=yes/hardcode_runpath_var=no/g' configure \ - && sed -i 's/hardcode_direct_CXX=yes/hardcode_direct_CXX=no/g' configure \ - && sed -i 's/hardcode_direct_absolute_CXX=yes/hardcode_direct_absolute_CXX=no/g' configure \ - && sed -i 's/hardcode_minus_L_CXX=yes/hardcode_minus_L_CXX=no/g' configure \ - && sed -i 's/hardcode_automatic_CXX=yes/hardcode_automatic_CXX=no/g' configure \ - && sed -i 's/inherit_rpath=yes/inherit_rpath=no/g' configure \ - && sed -i 's/inherit_rpath_CXX=yes/inherit_rpath_CXX=no/g' configure \ && ./configure \ $(CROSS_TOOLS) \ --host $(MUSL_ARCH)-elf-linux \ @@ -31,6 +26,7 @@ tpm2-tss_configure := aclocal && automake --add-missing && autoreconf -fi \ --disable-doxygen-rtf \ --disable-doxygen-html \ --disable-fapi \ + --disable-static \ # Run one build to generate the executables with the pre-defined # exec_prefix and datarootdir, then a second make to install the binaries diff --git a/patches/tpm2-tss-3.2.0.patch b/patches/tpm2-tss-3.2.2.patch similarity index 100% rename from patches/tpm2-tss-3.2.0.patch rename to patches/tpm2-tss-3.2.2.patch From be714301677a366ec4c812ac801cd852cf1e65ef Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Tue, 9 Apr 2024 12:36:03 -0400 Subject: [PATCH 5/6] modules/tpm2-tools: Add TODO to uniformize live patching through sed calls as opposed to patch version specific autotools/configure scripts to force reproducible builds Signed-off-by: Thierry Laurion --- modules/tpm2-tools | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/tpm2-tools b/modules/tpm2-tools index df06afaf3..bba25bc5d 100644 --- a/modules/tpm2-tools +++ b/modules/tpm2-tools @@ -9,8 +9,6 @@ ifeq "$(CONFIG_TPM2_TOOLS)" "y" endif tpm2-tools_version := 5.6 -#tpm2-tools_version := 78a7681 -#tpm2-tools_repo := https://github.com/tpm2-software/tpm2-tools.git tpm2-tools_dir := tpm2-tools-$(tpm2-tools_version) tpm2-tools_tar := tpm2-tools-$(tpm2-tools_version).tar.gz @@ -22,10 +20,12 @@ tpm2-tools_hash := 52c8bcbaadca082abfe5eb7ee4967d2d632d84b1677675f2f071b6d2ec22c #tpm2-tools doesn't play nice with reproducible builds, hardcoding lib paths without providing a configure option to remove rpaths # We make sure no hardcoding of libdir flags exist in configure script prior of calling the script with sed call # We pass additional remapping of prefix-map from $INSTALL to local dir +# +# TODO: remove all patches and uniformize with similar sed calls. tpm2-tools_configure := \ echo "$(tpm2-tools_version)" > ./VERSION \ && ./bootstrap \ - && sed -i 's/hardcode_libdir_flag_spec=.*/hardcode_libdir_flag_spec=/' configure \ + && sed -i 's/hardcode_libdir_flag_spec=.*/hardcode_libdir_flag_spec=" "/' configure \ && ./configure \ $(CROSS_TOOLS) \ --host $(MUSL_ARCH)-elf-linux \ From 60d9aa4d5a54d1ef7e2878299f2c78a3ace3a4ce Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Thu, 25 Apr 2024 20:23:28 -0400 Subject: [PATCH 6/6] tpmr: remove warning "Warn: check public portion of the tpmkey manually" Discussed under https://github.com/linuxboot/heads/pull/1630#issuecomment-2075120429 TODO added in code. Signed-off-by: Thierry Laurion --- initrd/bin/tpmr | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/initrd/bin/tpmr b/initrd/bin/tpmr index 630454e17..a740d4a03 100755 --- a/initrd/bin/tpmr +++ b/initrd/bin/tpmr @@ -347,8 +347,10 @@ tpm2_startsession() { --saved-session || die "tpm2_flushcontext: unable to flush saved session" tpm2 readpublic -Q -c "$PRIMARY_HANDLE" -t "$PRIMARY_HANDLE_FILE" - tpm2 startauthsession -Q -c "$PRIMARY_HANDLE_FILE" --hmac-session -S "$ENC_SESSION_FILE" - tpm2 startauthsession -Q -c "$PRIMARY_HANDLE_FILE" --hmac-session -S "$DEC_SESSION_FILE" + #TODO: do the right thing to not have to suppress "WARN: check public portion the tpmkey manually" see https://github.com/linuxboot/heads/pull/1630#issuecomment-2075120429 + tpm2 startauthsession -Q -c "$PRIMARY_HANDLE_FILE" --hmac-session -S "$ENC_SESSION_FILE" 2>&1 > /dev/null + #TODO: do the right thing to not have to suppress "WARN: check public portion the tpmkey manually" see https://github.com/linuxboot/heads/pull/1630#issuecomment-2075120429 + tpm2 startauthsession -Q -c "$PRIMARY_HANDLE_FILE" --hmac-session -S "$DEC_SESSION_FILE" 2>&1 > /dev/null tpm2 sessionconfig -Q --disable-encrypt "$DEC_SESSION_FILE" }