commit b01196a13338e1e7b6c4026954d64c0ae93257d4 · pyrox.dev/nixpkgs

+2

doc/release-notes/rl-2505.section.md

···

       351
       351
        
       

     

       352
       352
        
       - GOverlay has been updated to 1.2, please check the [upstream changelog](https://github.com/benjamimgois/goverlay/releases) for more details.

     

       353
       353
        
       

     

       354
       354
       +
       - `tpm2-pkcs11` now has the variant `tpm2-pkcs11-fapi`, which has been patched to default to the Feature API backend. It has also been split into `tpm2-pkcs11-esapi`, which _only_ supports the older Enhanced System API backend. Note the [differences](https://github.com/tpm2-software/tpm2-pkcs11/blob/1.9.1/docs/FAPI.md), and that `tpm2-pkcs11` itself still needs `TPM2_PKCS11_BACKEND=fapi` exported in order to use the Feature API, whereas `tpm2-pkcs11-fapi` does not, and `tpm2-pkcs11-esapi` just does not support fapi entirely.

     

       355
       355
       +
       

     

       354
       356
        
       - For matrix homeserver Synapse we are now following the upstream recommendation to enable jemalloc as the memory allocator by default.

     

       355
       357
        
       

     

       356
       358
        
       - In `dovecot` package removed hard coding path to module directory.

+12

pkgs/by-name/tp/tpm2-pkcs11-esapi/package.nix

···

       1
       1
       +
       {

     

       2
       2
       +
         tpm2-pkcs11,

     

       3
       3
       +
         ...

     

       4
       4
       +
       }@args:

     

       5
       5
       +
       

     

       6
       6
       +
       tpm2-pkcs11.override (

     

       7
       7
       +
         args

     

       8
       8
       +
         // {

     

       9
       9
       +
           fapiSupport = false;

     

       10
       10
       +
           extraDescription = "Disables FAPI support, as if TPM2_PKCS11_BACKEND were always set to 'esysdb'.";

     

       11
       11
       +
         }

     

       12
       12
       +
       )

+13

pkgs/by-name/tp/tpm2-pkcs11-fapi/package.nix

···

       1
       1
       +
       {

     

       2
       2
       +
         tpm2-pkcs11,

     

       3
       3
       +
         ...

     

       4
       4
       +
       }@args:

     

       5
       5
       +
       

     

       6
       6
       +
       tpm2-pkcs11.override (

     

       7
       7
       +
         args

     

       8
       8
       +
         // {

     

       9
       9
       +
           fapiSupport = true;

     

       10
       10
       +
           defaultToFapi = true;

     

       11
       11
       +
           extraDescription = "Enables fapi by default, as if TPM2_PKCS11_BACKEND defaulted to 'fapi'.";

     

       12
       12
       +
         }

     

       13
       13
       +
       )

+33

pkgs/by-name/tp/tpm2-pkcs11/default-to-fapi.patch

···

       1
       1
       +
       From 648f0d08953152185e13feaca4feda02f8665341 Mon Sep 17 00:00:00 2001

     

       2
       2
       +
       From: Morgan Jones <me@numin.it>

     

       3
       3
       +
       Date: Wed, 9 Apr 2025 00:12:47 -0700

     

       4
       4
       +
       Subject: [PATCH] backend: default to fapi

     

       5
       5
       +
       

     

       6
       6
       +
       ---

     

       7
       7
       +
        src/lib/backend.c | 8 ++++----

     

       8
       8
       +
        1 file changed, 4 insertions(+), 4 deletions(-)

     

       9
       9
       +
       

     

       10
       10
       +
       diff --git a/src/lib/backend.c b/src/lib/backend.c

     

       11
       11
       +
       index 128f58b..8404afe 100644

     

       12
       12
       +
       --- a/src/lib/backend.c

     

       13
       13
       +
       +++ b/src/lib/backend.c

     

       14
       14
       +
       @@ -15,12 +15,12 @@ static enum backend get_backend(void) {

     

       15
       15
       +
        

     

       16
       16
       +
            const char *env = getenv("TPM2_PKCS11_BACKEND");

     

       17
       17
       +
        

     

       18
       18
       +
       -    if (!env || !strcasecmp(env, "esysdb")) {

     

       19
       19
       +
       -        return backend_esysdb;

     

       20
       20
       +
       +    if (!env || !strcasecmp(env, "fapi")) {

     

       21
       21
       +
       +        return backend_fapi;

     

       22
       22
       +
            }

     

       23
       23
       +
        

     

       24
       24
       +
       -    if (!strcasecmp(env, "fapi")) {

     

       25
       25
       +
       -        return backend_fapi;

     

       26
       26
       +
       +    if (!strcasecmp(env, "esysdb")) {

     

       27
       27
       +
       +        return backend_esysdb;

     

       28
       28
       +
            }

     

       29
       29
       +
        

     

       30
       30
       +
            return backend_error;

     

       31
       31
       +
       -- 

     

       32
       32
       +
       2.47.0

     

       33
       33
       +

+30 -7

pkgs/by-name/tp/tpm2-pkcs11/package.nix

···

       26
       26
        
         swtpm,

     

       27
       27
        
         tpm2-abrmd,

     

       28
       28
        
         tpm2-openssl,

     

       29
       29
       -
         tpm2-pkcs11, # for passthru abrmd tests

     

       29
       29
       +
         tpm2-pkcs11, # for passthru tests

     

       30
       30
       +
         tpm2-pkcs11-esapi,

     

       31
       31
       +
         tpm2-pkcs11-fapi,

     

       30
       32
        
         tpm2-tools,

     

       31
       33
        
         tpm2-tss,

     

       32
       34
        
         which,

     

       33
       35
        
         xxd,

     

       34
       36
        
         abrmdSupport ? false,

     

       35
       37
        
         fapiSupport ? true,

     

       38
       38
       +
         defaultToFapi ? false,

     

       36
       39
        
         enableFuzzing ? false,

     

       40
       40
       +
         extraDescription ? null,

     

       37
       41
        
       }:

     

       38
       42
        
       

     

       39
       43
        
       let

     
···

       51
       55
        
         };

     

       52
       56
        
       

     

       53
       57
        
         # Disable Java‐based tests because of missing dependencies

     

       54
       54
       -
         patches = [ ./disable-java-integration.patch ];

     

       58
       58
       +
         patches =

     

       59
       59
       +
           lib.singleton ./disable-java-integration.patch

     

       60
       60
       +
           ++ lib.optional defaultToFapi ./default-to-fapi.patch;

     

       55
       61
        
       

     

       56
       62
        
         postPatch = ''

     

       57
       63
        
           echo ${lib.escapeShellArg finalAttrs.version} >VERSION

     
···

       80
       86
        
           [

     

       81
       87
        
             (lib.enableFeature finalAttrs.doCheck "unit")

     

       82
       88
        
             (lib.enableFeature finalAttrs.doCheck "integration")

     

       89
       89
       +
       

     

       90
       90
       +
             # Strangely, it uses --with-fapi=yes|no instead of a normal configure flag.

     

       91
       91
       +
             "--with-fapi=${if fapiSupport then "yes" else "no"}"

     

       83
       92
        
           ]

     

       84
       93
        
           ++ lib.optionals enableFuzzing [

     

       85
       94
        
             "--enable-fuzzing"

     

       86
       95
        
             "--disable-hardening"

     

       87
       87
       -
           ]

     

       88
       88
       -
           ++ lib.optional fapiSupport "--with-fapi";

     

       96
       96
       +
           ];

     

       89
       97
        
       

     

       90
       98
        
         strictDeps = true;

     

       91
       99
        
       

     
···

       178
       186
        
       

     

       179
       187
        
             # Enable tests to load TPM2 OpenSSL module

     

       180
       188
        
             export OPENSSL_MODULES="${openssl-modules}/lib/ossl-modules"

     

       189
       189
       +
           ''

     

       190
       190
       +
           + lib.optionalString defaultToFapi ''

     

       191
       191
       +
             # Need to change the default since the tests expect the other way.

     

       192
       192
       +
             export TPM2_PKCS11_BACKEND=esysdb

     

       181
       193
        
           '';

     

       182
       194
        
       

     

       183
       195
        
         postInstall = ''

     
···

       211
       223
        
           '';

     

       212
       224
        
       

     

       213
       225
        
         passthru = {

     

       214
       214
       -
           tests.tpm2-pkcs11-abrmd = tpm2-pkcs11.override {

     

       215
       215
       -
             abrmdSupport = true;

     

       226
       226
       +
           tests = {

     

       227
       227
       +
             inherit tpm2-pkcs11-esapi tpm2-pkcs11-fapi;

     

       228
       228
       +
             tpm2-pkcs11-abrmd = tpm2-pkcs11.override {

     

       229
       229
       +
               abrmdSupport = true;

     

       230
       230
       +
             };

     

       231
       231
       +
             tpm2-pkcs11-esapi-abrmd = tpm2-pkcs11-esapi.override {

     

       232
       232
       +
               abrmdSupport = true;

     

       233
       233
       +
             };

     

       234
       234
       +
             tpm2-pkcs11-fapi-abrmd = tpm2-pkcs11-fapi.override {

     

       235
       235
       +
               abrmdSupport = true;

     

       236
       236
       +
             };

     

       216
       237
        
           };

     

       217
       238
        
         };

     

       218
       239
        
       

     

       219
       240
        
         meta = {

     

       220
       220
       -
           description = "PKCS#11 interface for TPM2 hardware";

     

       241
       241
       +
           description =

     

       242
       242
       +
             "PKCS#11 interface for TPM2 hardware."

     

       243
       243
       +
             + lib.optionalString (extraDescription != null) " ${extraDescription}";

     

       221
       244
        
           homepage = "https://github.com/tpm2-software/tpm2-pkcs11";

     

       222
       245
        
           license = lib.licenses.bsd2;

     

       223
       246
        
           platforms = lib.platforms.linux;