make openssl libtss2 tpm2 reproducible

.circleci/config.yml

@@ -45,6 +45,7 @@ jobs:
     docker:
       - image: debian:11
     resource_class: large
+    working_directory: ~/heads
     steps:
       - run:
           name: Install dependencies
@@ -53,7 +54,6 @@ jobs:
             apt update
             apt install -y build-essential zlib1g-dev uuid-dev libdigest-sha-perl libelf-dev bc bzip2 bison flex git gnupg gawk iasl m4 nasm patch python python2 python3 wget gnat cpio ccache pkg-config cmake libusb-1.0-0-dev autoconf texinfo ncurses-dev doxygen graphviz udev libudev1 libudev-dev automake libtool rsync innoextract sudo imagemagick libncurses5-dev
       - checkout
-
       - run:
           name: git reset
           command: |
@@ -120,6 +120,7 @@ jobs:
     docker:
       - image: debian:11
     resource_class: large
+    working_directory: ~/heads
     parameters:
       arch:
         type: string
@@ -138,15 +139,16 @@ jobs:
       - persist_to_workspace:
           root: ~/
           paths:
-            - project/packages/<<parameters.arch>>
-            - project/build/<<parameters.arch>>
-            - project/crossgcc/<<parameters.arch>>
-            - project/install/<<parameters.arch>>
+            - heads/packages/<<parameters.arch>>
+            - heads/build/<<parameters.arch>>
+            - heads/crossgcc/<<parameters.arch>>
+            - heads/install/<<parameters.arch>>
 
   build:
     docker:
       - image: debian:11
     resource_class: large
+    working_directory: ~/heads
     parameters:
       arch:
         type: string
@@ -167,6 +169,7 @@ jobs:
     docker:
       - image: debian:11
     resource_class: large
+    working_directory: ~/heads
     steps:
       - attach_workspace:
           at: ~/
@@ -236,13 +239,12 @@ workflows:
       # since kernel is 6.x and coreboot is git is unshared
       # We use nitropad's coreboot's fork crossgcc
       # No need to wait further for other board's cache.
-      # We reuse built modules from x230-hotp-maximized cache only
       - build_and_persist:
           name: nitropad-nv41
           target: nitropad-nv41
           subcommand: ""
           requires:
-            - x230-hotp-maximized
+            - prep_env
 
       # coreboot-git Talos II (PPC)
       - build_and_persist:
@@ -527,3 +529,4 @@ workflows:
 #          path: build/UNMAINTAINED_qemu-linuxboot/linuxboot.rom
 #      - store-artifacts:
 #          path: build/UNMAINTAINED_qemu-linuxboot/hashes.txt
+

Makefile

@@ -793,3 +793,5 @@ real.clean:
 		fi; \
 	done
 	cd install && rm -rf -- *
+real.gitclean:
+	git clean -fxd

initrd/bin/tpmr

@@ -347,8 +347,10 @@ tpm2_startsession() {
 		--saved-session ||
 		die "tpm2_flushcontext: unable to flush saved session"
 	tpm2 readpublic -Q -c "$PRIMARY_HANDLE" -t "$PRIMARY_HANDLE_FILE"
-	tpm2 startauthsession -Q -c "$PRIMARY_HANDLE_FILE" --hmac-session -S "$ENC_SESSION_FILE"
-	tpm2 startauthsession -Q -c "$PRIMARY_HANDLE_FILE" --hmac-session -S "$DEC_SESSION_FILE"
+	#TODO: do the right thing to not have to suppress "WARN: check public portion the tpmkey manually" see https://github.com/linuxboot/heads/pull/1630#issuecomment-2075120429
+	tpm2 startauthsession -Q -c "$PRIMARY_HANDLE_FILE" --hmac-session -S "$ENC_SESSION_FILE" 2>&1 > /dev/null
+	#TODO: do the right thing to not have to suppress "WARN: check public portion the tpmkey manually" see https://github.com/linuxboot/heads/pull/1630#issuecomment-2075120429
+	tpm2 startauthsession -Q -c "$PRIMARY_HANDLE_FILE" --hmac-session -S "$DEC_SESSION_FILE" 2>&1 > /dev/null
 	tpm2 sessionconfig -Q --disable-encrypt "$DEC_SESSION_FILE"
 }
 

modules/tpm2-tools

@@ -8,23 +8,30 @@ ifeq "$(CONFIG_TPM2_TOOLS)" "y"
 	export CONFIG_TPM=y
 endif
 
-tpm2-tools_version := 5.2
-#tpm2-tools_version := 78a7681
-#tpm2-tools_repo := https://github.com/tpm2-software/tpm2-tools.git
+tpm2-tools_version := 5.6
 
 tpm2-tools_dir := tpm2-tools-$(tpm2-tools_version)
 tpm2-tools_tar := tpm2-tools-$(tpm2-tools_version).tar.gz
 tpm2-tools_url := https://github.com/tpm2-software/tpm2-tools/releases/download/$(tpm2-tools_version)/$(tpm2-tools_tar)
-tpm2-tools_hash := c0b402f6a7b3456e8eb2445211e2d41c46c7e769e05fe4d8909ff64119f7a630
+tpm2-tools_hash := 52c8bcbaadca082abfe5eb7ee4967d2d632d84b1677675f2f071b6d2ec22cec3
 
-# we have ESYS 3.0, but it doesn't figure that out on its own
-tpm2-tools_configure := ./bootstrap && ./configure \
+#tpm2-tools 5.6 adds release version based on git, while tarball downloaded doesn't include any .git
+#  the patch comments out git output to ./VERSION, and we fill it here based on this Makefile's version
+#tpm2-tools doesn't play nice with reproducible builds, hardcoding lib paths without providing a configure option to remove rpaths
+#  We make sure no hardcoding of libdir flags exist in configure script prior of calling the script with sed call
+#  We pass additional remapping of prefix-map from $INSTALL to local dir
+#
+# TODO: remove all patches and uniformize with similar sed calls.
+tpm2-tools_configure := \
+	echo "$(tpm2-tools_version)" > ./VERSION \
+	&& ./bootstrap \
+	&& sed -i 's/hardcode_libdir_flag_spec=.*/hardcode_libdir_flag_spec=" "/' configure \
+	&& ./configure \
 	$(CROSS_TOOLS) \
 	--host $(MUSL_ARCH)-elf-linux \
 	--prefix "/" \
 	--disable-fapi \
-	TSS2_ESYS_3_0_CFLAGS="-I$(INSTALL)/include" \
-	TSS2_ESYS_3_0_LIBS="-ltss2-esys" \
+	CFLAGS="-fdebug-prefix-map=$(INSTALL)=." \
 
 tpm2-tools_target := $(MAKE_JOBS) \
 	DESTDIR="$(INSTALL)" \

modules/tpm2-tss

@@ -1,13 +1,22 @@
 # TPM2 TSS library
 modules-$(CONFIG_TPM2_TSS) += tpm2-tss
 
-tpm2-tss_version := 3.2.0
+tpm2-tss_version := 3.2.2
 tpm2-tss_dir := tpm2-tss-$(tpm2-tss_version)
 tpm2-tss_tar := tpm2-tss-$(tpm2-tss_version).tar.gz
 tpm2-tss_url := https://github.com/tpm2-software/tpm2-tss/releases/download/$(tpm2-tss_version)/$(tpm2-tss_tar)
-tpm2-tss_hash := 48305e4144dcf6d10f3b25b7bccf0189fd2d1186feafd8cd68c6b17ecf0d7912
+tpm2-tss_hash := ba9e52117f254f357ff502e7d60fce652b3bfb26327d236bbf5ab634235e40f1
 
+#Repro checks:
+# find build/x86/tpm2-tss-3.2.2/src/*/.libs/libtss2-*so* | while read file; do echo "library $file:"; strings $file|grep heads; done
+#  Should not return any result 
+
+#NEEDED otherwise output on previous command
+#sed -i 's/hardcode_into_libs=yes/hardcode_into_libs=no/g' configure
+# needed otherwise library build/x86/tpm2-tss-3.2.2/src/tss2-tcti/.libs/libtss2-tcti-pcap.so.0.0.0:
+# contains: /home/user/heads/build/x86/tpm2-tss-3.2.2/src/tss2-tcti/.libs:/home/user/heads/build/x86/tpm2-tss-3.2.2/src/tss2-mu/.libs://lib
 tpm2-tss_configure := aclocal && automake --add-missing && autoreconf -fi \
+	&& sed -i 's/hardcode_into_libs=yes/hardcode_into_libs=no/g' configure \
 	&& ./configure \
 	$(CROSS_TOOLS) \
 	--host $(MUSL_ARCH)-elf-linux \
@@ -17,6 +26,7 @@ tpm2-tss_configure := aclocal && automake --add-missing && autoreconf -fi \
 	--disable-doxygen-rtf \
 	--disable-doxygen-html \
 	--disable-fapi \
+	--disable-static \
 
 # Run one build to generate the executables with the pre-defined
 # exec_prefix and datarootdir, then a second make to install the binaries

patches/openssl-3.0.8.patch

@@ -0,0 +1,35 @@
+--- ./util/mkbuildinf.pl.orig   2023-02-07 08:43:33.000000000 -0500
++++ ./util/mkbuildinf.pl	2024-03-27 14:36:49.974651246 -0400
+@@ -12,7 +12,7 @@
+ my ($cflags, $platform) = @ARGV;
+ $cflags = "compiler: $cflags";
+
+-my $date = gmtime($ENV{'SOURCE_DATE_EPOCH'} || time()) . " UTC";
++my $date = gmtime($ENV{'SOURCE_DATE_EPOCH'} || '0') . " UTC";
+
+ print <<"END_OUTPUT";
+ /*
+@@ -36,21 +36,7 @@
+  * literal
+  */
+ static const char compiler_flags[] = {
+-END_OUTPUT
+-
+-my $ctr = 0;
+-foreach my $c (split //, $cflags) {
+-    $c =~ s|([\\'])|\\$1|;
+-    # Max 16 characters per line
+-    if  (($ctr++ % 16) == 0) {
+-        if ($ctr != 1) {
+-            print "\n";
+-        }
+-        print "    ";
+-    }
+-    print "'$c',";
+-}
+-print <<"END_OUTPUT";
+-'\\0'
++    'r','e','p','r','o','d','u','c','i','b','l','e',' ','b','u','i',
++    'l','d','\\0'
+ };
+ END_OUTPUT

patches/tpm2-tools-5.6.patch

@@ -0,0 +1,42 @@
+--- ./bootstrap.orig    2023-11-08 02:19:36.000000000 -0500
++++ ./bootstrap 2024-04-03 12:18:46.722995465 -0400
+@@ -5,7 +5,7 @@
+
+ # Generate a VERSION file that is included in the dist tarball to avoid needed git
+ # when calling autoreconf in a release tarball.
+-git describe --tags --always --dirty > VERSION
++#git describe --tags --always --dirty > VERSION
+
+ # generate list of source files for use in Makefile.am
+ # if you add new source files, you must run ./bootstrap again
+diff --git a/Makefile.am b/Makefile.am
+index 7132215..32e2193 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -93,7 +93,7 @@ tss2_tools = \
+
+ # Bundle all the tools into a single program similar to busybox
+ bin_PROGRAMS += tools/tpm2
+-tools_tpm2_LDADD = $(LDADD) $(CURL_LIBS)
++tools_tpm2_LDADD = $(LDADD)
+ tools_tpm2_CFLAGS = $(AM_CFLAGS) -DTPM2_TOOLS_MAX="$(words $(tpm2_tools))"
+ tools_tpm2_SOURCES = \
+ 	tools/tpm2_tool.c \
+@@ -127,7 +127,6 @@ tpm2_tools = \
+     tools/tpm2_encryptdecrypt.c \
+     tools/tpm2_evictcontrol.c \
+     tools/tpm2_flushcontext.c \
+-    tools/tpm2_getekcertificate.c \
+     tools/tpm2_getrandom.c \
+     tools/tpm2_gettime.c \
+     tools/tpm2_hash.c \
+--- ./configure.ac.orig	2023-11-08 02:19:36.000000000 -0500
++++ ./configure.ac	2024-04-02 12:05:00.270985575 -0400
+@@ -80,7 +80,6 @@
+ AC_CHECK_LIB(crypto, [EVP_sm4_cfb128], [
+         AC_DEFINE([HAVE_EVP_SM4_CFB], [1], [Support EVP_sm4_cfb in openssl])],
+         [])
+-PKG_CHECK_MODULES([CURL], [libcurl])
+
+ # pretty print of devicepath if efivar library is present
+ # auto detect if not specified via the --with-efivar option.