Topics

TSS aligned with TPM2 engine

Doug Fraser
 

Hello,

I recently pulled v2.1.0 of openssl_tpm2_engine for cross compilation on an 32 bit ARMv7 architecture to interface to a Infineon SLB9670 with the latest firmware for TPM2.0

I am running a TSS from https://github.com/tpm2-software/tpm2-tss (2.0.0) and TPM2 tools from https://github.com/tpm2-software/tpm2-tools (3.1.0).

I have demonstrated control over the device under Linux 4.14.77 using these tools and the kernel configured for TPM

When I try to autoconfig the openssl_tpm2_engine, it fails to find tss because of library naming mismatches.

I am in the process of editing the configure script to pull the proper headers, but I would appreciate it if I am headed off a cliff (or into a box canyon, pick your metaphor), and someone could yell 'STOP' now.....

I had to pull a little configure 'magic' to get tpm2-tools to cross compile against tpm2-tss, so this is not that surpising.

Thanks,

Douglas Fraser
Veea Systems Inc.

James Bottomley
 

On Wed, 2018-12-19 at 15:32 +0000, Doug Fraser wrote:
Hello,

I recently pulled v2.1.0 of openssl_tpm2_engine for cross compilation
on an 32 bit ARMv7 architecture to interface to a Infineon SLB9670
with the latest firmware for TPM2.0

I am running a TSS from https://github.com/tpm2-software/tpm2-tss
(2.0.0) and TPM2 tools from https://github.com/tpm2-software/tpm2-
tools (3.1.0).

I have demonstrated control over the device under Linux 4.14.77 using
these tools and the kernel configured for TPM

When I try to autoconfig the openssl_tpm2_engine, it fails to find
tss because of library naming mismatches.
That's probably because it's looking for this library:

https://sourceforge.net/projects/ibmtpm20tss/

I am in the process of editing the configure script to pull the
proper headers, but I would appreciate it if I am headed off a cliff
(or into a box canyon, pick your metaphor), and someone could yell
'STOP' now.....
Yes, STOP. THe Intel TSS you have above is based on ESAPI so has a
totally different API. The IBM TSS uses the TPM command API, which is
what the engine also uses. The two TSSs are API and installation
orthogonal, ao you can install both at once and, eventually, we might
get them merged.

James


I had to pull a little configure 'magic' to get tpm2-tools to cross
compile against tpm2-tss, so this is not that surpising.

Thanks,

Douglas Fraser
Veea Systems Inc.

Doug Fraser
 

James,

Thanks a million. I actually started down this path from: https://blog.hansenpartnership.com/tpm-projects/

I have also watched your presentation from earlier this year, it was quite good, thank you.

On to the ibmtss to continue my adventure.....

Sincerely,

Douglas Fraser

-----Original Message-----
From: openssl-tpm2-engine@groups.io <openssl-tpm2-engine@groups.io> On Behalf Of James Bottomley
Sent: Wednesday, December 19, 2018 10:49 AM
To: openssl-tpm2-engine@groups.io; Doug Fraser <doug.fraser@...>
Subject: Re: [openssl-tpm2-engine] TSS aligned with TPM2 engine

On Wed, 2018-12-19 at 15:32 +0000, Doug Fraser wrote:
Hello,

I recently pulled v2.1.0 of openssl_tpm2_engine for cross compilation
on an 32 bit ARMv7 architecture to interface to a Infineon SLB9670
with the latest firmware for TPM2.0

I am running a TSS from https://github.com/tpm2-software/tpm2-tss
(2.0.0) and TPM2 tools from https://github.com/tpm2-software/tpm2-
tools (3.1.0).

I have demonstrated control over the device under Linux 4.14.77 using
these tools and the kernel configured for TPM

When I try to autoconfig the openssl_tpm2_engine, it fails to find tss
because of library naming mismatches.
That's probably because it's looking for this library:

https://sourceforge.net/projects/ibmtpm20tss/

I am in the process of editing the configure script to pull the proper
headers, but I would appreciate it if I am headed off a cliff (or into
a box canyon, pick your metaphor), and someone could yell 'STOP'
now.....
Yes, STOP. THe Intel TSS you have above is based on ESAPI so has a totally different API. The IBM TSS uses the TPM command API, which is what the engine also uses. The two TSSs are API and installation orthogonal, ao you can install both at once and, eventually, we might get them merged.

James


I had to pull a little configure 'magic' to get tpm2-tools to cross
compile against tpm2-tss, so this is not that surpising.

Thanks,

Douglas Fraser
Veea Systems Inc.

Doug Fraser
 

James (and others...)

Attached is a cross make file I use under Alpine Linux on Arm7 (32) to build the libraries.
Everything builds and links with no errors. We are building TPM20 only.
Currently pulling ibm tss v1331...

It is being built against Alpine Libraries v3.8 main, libgcrypt libgcrypt-dev libressl libressl-dev

The make line for this is make -j8 -f ibmtss-cross.mk CC="${CROSS_COMPILE}"gcc SYSROOT="${install_top}" PREFIX="/usr"

Where cross compile is arm-linux-musleabihf-

We are using MUSL lib based gcc 6.4.0 that has been compiled for SYSROOT support (which is immensely helpful for cross building)

I'll let you know how it progresses, but thanks for the help getting me pointed in the right direction.

Douglas Fraser

-----Original Message-----
From: openssl-tpm2-engine@groups.io <openssl-tpm2-engine@groups.io> On Behalf Of Doug Fraser
Sent: Wednesday, December 19, 2018 10:52 AM
To: openssl-tpm2-engine@groups.io; James.Bottomley@...
Subject: Re: [openssl-tpm2-engine] TSS aligned with TPM2 engine

James,

Thanks a million. I actually started down this path from: https://blog.hansenpartnership.com/tpm-projects/

I have also watched your presentation from earlier this year, it was quite good, thank you.

On to the ibmtss to continue my adventure.....

Sincerely,

Douglas Fraser



-----Original Message-----
From: openssl-tpm2-engine@groups.io <openssl-tpm2-engine@groups.io> On Behalf Of James Bottomley
Sent: Wednesday, December 19, 2018 10:49 AM
To: openssl-tpm2-engine@groups.io; Doug Fraser <doug.fraser@...>
Subject: Re: [openssl-tpm2-engine] TSS aligned with TPM2 engine

On Wed, 2018-12-19 at 15:32 +0000, Doug Fraser wrote:
Hello,

I recently pulled v2.1.0 of openssl_tpm2_engine for cross compilation
on an 32 bit ARMv7 architecture to interface to a Infineon SLB9670
with the latest firmware for TPM2.0

I am running a TSS from https://github.com/tpm2-software/tpm2-tss
(2.0.0) and TPM2 tools from https://github.com/tpm2-software/tpm2-
tools (3.1.0).

I have demonstrated control over the device under Linux 4.14.77 using
these tools and the kernel configured for TPM

When I try to autoconfig the openssl_tpm2_engine, it fails to find tss
because of library naming mismatches.
That's probably because it's looking for this library:

https://sourceforge.net/projects/ibmtpm20tss/

I am in the process of editing the configure script to pull the proper
headers, but I would appreciate it if I am headed off a cliff (or into
a box canyon, pick your metaphor), and someone could yell 'STOP'
now.....
Yes, STOP. THe Intel TSS you have above is based on ESAPI so has a totally different API. The IBM TSS uses the TPM command API, which is what the engine also uses. The two TSSs are API and installation orthogonal, ao you can install both at once and, eventually, we might get them merged.

James


I had to pull a little configure 'magic' to get tpm2-tools to cross
compile against tpm2-tss, so this is not that surpising.

Thanks,

Douglas Fraser
Veea Systems Inc.

James Bottomley
 

On Wed, 2018-12-19 at 21:30 +0000, Doug Fraser wrote:
James (and others...)

Attached is a cross make file I use under Alpine Linux on Arm7 (32)
to build the libraries.
Everything builds and links with no errors. We are building TPM20
only. Currently pulling ibm tss v1331...
Sounds good. IBM is working on an autoconf based update internally
which should be released soon and which should make this easier.

It is being built against Alpine Libraries v3.8 main, libgcrypt
libgcrypt-dev libressl libressl-dev

The make line for this is make -j8 -f ibmtss-cross.mk
CC="${CROSS_COMPILE}"gcc SYSROOT="${install_top}" PREFIX="/usr"

Where cross compile is arm-linux-musleabihf-

We are using MUSL lib based gcc 6.4.0 that has been compiled for
SYSROOT support (which is immensely helpful for cross building)
Ah, you'll hit my blind spot in the engine as well then: I never
really cross compile, I build pseudo natively using architecture
emulation containers (have to so make check works) and all the
automated multiple architecture build environments

https://build.opensuse.org/project/show/home:jejb1:TPM

Do the same, so although cross compiling should work because of
autoconf, I don't believe anyone's ever tested it.

I'll let you know how it progresses, but thanks for the help getting
me pointed in the right direction.
That's great, and you're welcome.

James

Doug Fraser
 

Updated cross make that builds ibmtss on an armhf target.
Built and linked properly, and installed, on target, and tested with Infineon HW TPM device.

I had to straighten out some -rpath -rpath-link issues from my first attempt.

-----Original Message-----
From: Doug Fraser
Sent: Wednesday, December 19, 2018 4:30 PM
To: openssl-tpm2-engine@groups.io; Doug Fraser <doug.fraser@...>; James.Bottomley@...
Subject: RE: [openssl-tpm2-engine] TSS aligned with TPM2 engine

James (and others...)

Attached is a cross make file I use under Alpine Linux on Arm7 (32) to build the libraries.
Everything builds and links with no errors. We are building TPM20 only.
Currently pulling ibm tss v1331...

It is being built against Alpine Libraries v3.8 main, libgcrypt libgcrypt-dev libressl libressl-dev

The make line for this is make -j8 -f ibmtss-cross.mk CC="${CROSS_COMPILE}"gcc SYSROOT="${install_top}" PREFIX="/usr"

Where cross compile is arm-linux-musleabihf-

We are using MUSL lib based gcc 6.4.0 that has been compiled for SYSROOT support (which is immensely helpful for cross building)

I'll let you know how it progresses, but thanks for the help getting me pointed in the right direction.

Douglas Fraser


-----Original Message-----
From: openssl-tpm2-engine@groups.io <openssl-tpm2-engine@groups.io> On Behalf Of Doug Fraser
Sent: Wednesday, December 19, 2018 10:52 AM
To: openssl-tpm2-engine@groups.io; James.Bottomley@...
Subject: Re: [openssl-tpm2-engine] TSS aligned with TPM2 engine

James,

Thanks a million. I actually started down this path from: https://blog.hansenpartnership.com/tpm-projects/

I have also watched your presentation from earlier this year, it was quite good, thank you.

On to the ibmtss to continue my adventure.....

Sincerely,

Douglas Fraser



-----Original Message-----
From: openssl-tpm2-engine@groups.io <openssl-tpm2-engine@groups.io> On Behalf Of James Bottomley
Sent: Wednesday, December 19, 2018 10:49 AM
To: openssl-tpm2-engine@groups.io; Doug Fraser <doug.fraser@...>
Subject: Re: [openssl-tpm2-engine] TSS aligned with TPM2 engine

On Wed, 2018-12-19 at 15:32 +0000, Doug Fraser wrote:
Hello,

I recently pulled v2.1.0 of openssl_tpm2_engine for cross compilation
on an 32 bit ARMv7 architecture to interface to a Infineon SLB9670
with the latest firmware for TPM2.0

I am running a TSS from https://github.com/tpm2-software/tpm2-tss
(2.0.0) and TPM2 tools from https://github.com/tpm2-software/tpm2-
tools (3.1.0).

I have demonstrated control over the device under Linux 4.14.77 using
these tools and the kernel configured for TPM

When I try to autoconfig the openssl_tpm2_engine, it fails to find tss
because of library naming mismatches.
That's probably because it's looking for this library:

https://sourceforge.net/projects/ibmtpm20tss/

I am in the process of editing the configure script to pull the proper
headers, but I would appreciate it if I am headed off a cliff (or into
a box canyon, pick your metaphor), and someone could yell 'STOP'
now.....
Yes, STOP. THe Intel TSS you have above is based on ESAPI so has a totally different API. The IBM TSS uses the TPM command API, which is what the engine also uses. The two TSSs are API and installation orthogonal, ao you can install both at once and, eventually, we might get them merged.

James


I had to pull a little configure 'magic' to get tpm2-tools to cross
compile against tpm2-tss, so this is not that surpising.

Thanks,

Douglas Fraser
Veea Systems Inc.

Doug Fraser
 

Okay,

I am plowing my way through the next part, that is, getting openssl-tpm2-engine to build against libressl (under Alpine) as opposed to openssl

There are differences, and right off the bat, openssl DEFINE_STACK_OF(TSSOPTPOLICY); needs to be libressl DECLARE_STACK_OF(TSSOPTPOLICY); (except that they are slightly different)

Anyone here plowed through this field before me?

Thanks!

Douglas Fraser

Doug Fraser
 

Good Morning in openssl-tpm2-engine land!

I deprecated libressl on my Alpine target to 'smooth the way'. That lines up with some application team members that required openssl on target so it is all good.

I still have a ton of testing to do, but I now have the full ibmtss2 library and tpm2_* tools cross built and installed on armhf target with MUSL C lib based gcc 6.4.0.
It all appears to be running (properly) under Linux 4.14.77 on armv7 running in 32 bit mode.

This is all handled in the cross build makefile I shared earlier.

On to openssl-tpm2-engine:

I had to make one small change to openssl-tpm2-engine before running bootstrap/configure prior to the build.
Right after pulling the git tree, at the top of the tree I do:

#$ sed -i 's/ create_tpm2_key.1//' Makefile.am

This removes a documentation dependency on help2man.
This is required because I am cross-compiling, and I cannot execute `create_tpm2_key --help` on the build host to extract the document.

It would be helpful if there were a configure option to block documentation generation completely.

In addition, when I `make install`, everything goes well until it runs libtool on libtpm2(.la/.so), where it installs it on my host, not on my cross target.
It is not honoring --prefix for the cross target libraries, only the binary.

Here is my configure line, after editing Makefile.AM and running `bootstrap`

#$ ./configure CC="${CROSS_COMPILE}"gcc CPPFLAGS="--sysroot=${install_top} -I${build_top}/ibmtss/utils -I${build_top}/openssl_tpm2_engine -fPIC" LDFLAGS="--sysroot=${install_top}" --prefix="${install_top}"/usr --host=arm-linux-musleabihf

--prefix="${install_top}"/usr <<<< this is the base where I expect to everything installed.

I am going to look at that this morning and see what I have to change for that to configure/automake properly.

Douglas Fraser

-----Original Message-----
From: Doug Fraser
Sent: Thursday, December 20, 2018 3:50 PM
To: openssl-tpm2-engine@groups.io; 'James.Bottomley@...' <James.Bottomley@...>
Subject: RE: [openssl-tpm2-engine] TSS aligned with TPM2 engine

Okay,

I am plowing my way through the next part, that is, getting openssl-tpm2-engine to build against libressl (under Alpine) as opposed to openssl

There are differences, and right off the bat, openssl DEFINE_STACK_OF(TSSOPTPOLICY); needs to be libressl DECLARE_STACK_OF(TSSOPTPOLICY); (except that they are slightly different)

Anyone here plowed through this field before me?

Thanks!

Douglas Fraser

Fredrik Ternerot
 

On Fri, Dec 21, 2018 at 4:22 PM Doug Fraser <doug.fraser@...> wrote:

Good Morning in openssl-tpm2-engine land!

I deprecated libressl on my Alpine target to 'smooth the way'. That lines up with some application team members that required openssl on target so it is all good.

I still have a ton of testing to do, but I now have the full ibmtss2 library and tpm2_* tools cross built and installed on armhf target with MUSL C lib based gcc 6.4.0.
It all appears to be running (properly) under Linux 4.14.77 on armv7 running in 32 bit mode.

This is all handled in the cross build makefile I shared earlier.

On to openssl-tpm2-engine:

I had to make one small change to openssl-tpm2-engine before running bootstrap/configure prior to the build.
Right after pulling the git tree, at the top of the tree I do:

#$ sed -i 's/ create_tpm2_key.1//' Makefile.am
I actually do almost exactly the same fix. I'm also cross compiling
for 32-bit armv7 using OpenEmbedded.


This removes a documentation dependency on help2man.
This is required because I am cross-compiling, and I cannot execute `create_tpm2_key --help` on the build host to extract the document.

It would be helpful if there were a configure option to block documentation generation completely.
I agree.


In addition, when I `make install`, everything goes well until it runs libtool on libtpm2(.la/.so), where it installs it on my host, not on my cross target.
It is not honoring --prefix for the cross target libraries, only the binary.
In case you wonder, I haven't checked this since I'm using a custom
install variant in my bitbake recipe instead of relying on 'make
install'.

Fredrik Ternerot


Here is my configure line, after editing Makefile.AM and running `bootstrap`

#$ ./configure CC="${CROSS_COMPILE}"gcc CPPFLAGS="--sysroot=${install_top} -I${build_top}/ibmtss/utils -I${build_top}/openssl_tpm2_engine -fPIC" LDFLAGS="--sysroot=${install_top}" --prefix="${install_top}"/usr --host=arm-linux-musleabihf

--prefix="${install_top}"/usr <<<< this is the base where I expect to everything installed.

I am going to look at that this morning and see what I have to change for that to configure/automake properly.

Douglas Fraser


-----Original Message-----
From: Doug Fraser
Sent: Thursday, December 20, 2018 3:50 PM
To: openssl-tpm2-engine@groups.io; 'James.Bottomley@...' <James.Bottomley@...>
Subject: RE: [openssl-tpm2-engine] TSS aligned with TPM2 engine

Okay,

I am plowing my way through the next part, that is, getting openssl-tpm2-engine to build against libressl (under Alpine) as opposed to openssl

There are differences, and right off the bat, openssl DEFINE_STACK_OF(TSSOPTPOLICY); needs to be libressl DECLARE_STACK_OF(TSSOPTPOLICY); (except that they are slightly different)

Anyone here plowed through this field before me?

Thanks!

Douglas Fraser


Doug Fraser
 

Fred,

Thanks for your response.

I have some ideas how I am going to install at this point, but I am curious how you are determining your OpenSSL engine directory for your specific target?
We are actually building OpenSSL on our target, so I have two options:

1) grep for OPENSSL_ENGINES_DIR in the build artifacts and process that. *it is indeed, there..... ugly, but useable*
2) after cross building and installing openssl, cross building a small test application that does nothing more than "puts(OpenSSL_version(OPENSSL_ENGINES_DIR));" and running that in chroot on target.

Those are the two methods I have at hand, did you use one of these? Or a third way?

Thanks for the reply!

Douglas Fraser

-----Original Message-----
From: Fredrik Ternerot <fredrik.trot@...>
Sent: Friday, December 21, 2018 1:59 PM
To: openssl-tpm2-engine@groups.io; Doug Fraser <doug.fraser@...>
Subject: Re: [openssl-tpm2-engine] TSS aligned with TPM2 engine

============

#$ sed -i 's/ create_tpm2_key.1//' Makefile.am
I actually do almost exactly the same fix. I'm also cross compiling for 32-bit armv7 using OpenEmbedded.


This removes a documentation dependency on help2man.
This is required because I am cross-compiling, and I cannot execute `create_tpm2_key --help` on the build host to extract the document.

It would be helpful if there were a configure option to block documentation generation completely.
I agree.


In addition, when I `make install`, everything goes well until it runs libtool on libtpm2(.la/.so), where it installs it on my host, not on my cross target.
It is not honoring --prefix for the cross target libraries, only the binary.
In case you wonder, I haven't checked this since I'm using a custom install variant in my bitbake recipe instead of relying on 'make install'.

Fredrik Ternerot

Fredrik Ternerot
 

On Fri, Dec 21, 2018 at 8:11 PM Doug Fraser <doug.fraser@...> wrote:

Fred,

Thanks for your response.

I have some ideas how I am going to install at this point, but I am curious how you are determining your OpenSSL engine directory for your specific target?
We are actually building OpenSSL on our target, so I have two options:

1) grep for OPENSSL_ENGINES_DIR in the build artifacts and process that. *it is indeed, there..... ugly, but useable*
2) after cross building and installing openssl, cross building a small test application that does nothing more than "puts(OpenSSL_version(OPENSSL_ENGINES_DIR));" and running that in chroot on target.

Those are the two methods I have at hand, did you use one of these? Or a third way?
Sorry but I have no good solution for this either, I'm basically hard
coding the engines dir. I will try to clean up my changes after the
holidays and if I come up with some good solution I will let you know.

I also have some other workarounds that I probably should send mails
about. In short one problem regarding padding for RSA decrypt when
using openssl 1.0.x (not seen when using 1.1) and one problem
regarding permission of TSS tmp dir when the application is changing
user (in my case Apache httpd loads the keys as root but using them as
another user).

Fredrik Ternerot


Thanks for the reply!

Douglas Fraser

-----Original Message-----
From: Fredrik Ternerot <fredrik.trot@...>
Sent: Friday, December 21, 2018 1:59 PM
To: openssl-tpm2-engine@groups.io; Doug Fraser <doug.fraser@...>
Subject: Re: [openssl-tpm2-engine] TSS aligned with TPM2 engine

============

#$ sed -i 's/ create_tpm2_key.1//' Makefile.am
I actually do almost exactly the same fix. I'm also cross compiling for 32-bit armv7 using OpenEmbedded.


This removes a documentation dependency on help2man.
This is required because I am cross-compiling, and I cannot execute `create_tpm2_key --help` on the build host to extract the document.

It would be helpful if there were a configure option to block documentation generation completely.
I agree.


In addition, when I `make install`, everything goes well until it runs libtool on libtpm2(.la/.so), where it installs it on my host, not on my cross target.
It is not honoring --prefix for the cross target libraries, only the binary.
In case you wonder, I haven't checked this since I'm using a custom install variant in my bitbake recipe instead of relying on 'make install'.

Fredrik Ternerot

Doug Fraser
 

I am doing this between my ibmtss build and my openssl_tpm2_engine build....
This gets me the proper path, then I hand install using my own makefile.
I tried editing the configured Makefile using the results of this, but it still does some strange things with libtool that blows it up, so I hand install the output to the target after the build.

This *should* work with any installed version of opensll.
Feel free to pick away at parts of this if they are useful at all.

Douglas Fraser

# For OPENSSL TPM2 Engine, we need to know where the installed OpenSSL
# is going to look for its engines.
# We do that by cross building this little application and running it
# in chroot, and then extracting the string that it spits out.
rm -f enginesdir
rm -f openssl_engine_path.c
cat <<PATH_TEST >openssl_engine_path.c
#define HEADER_CRYPTLIB_H
#include <openssl/crypto.h>
#include <stdio.h>
int
main ()
{
#if OPENSSL_VERSION_NUMBER < 0x10100000
puts(ENGINESDIR);
#else
puts(OpenSSL_version(OPENSSL_ENGINES_DIR));
#endif

;
return 0;
}
PATH_TEST

# Cross compile directly to /tmp on chroot install top.
if ! "${CROSS_COMPILE}"gcc -o "${install_top}"/tmp/openssl_engine_path --sysroot="${install_top}" openssl_engine_path.c
then
echo "Failed: unable to build openssl_engine_path.c"
exit "${exit_code}"
fi
exit_code=$((exit_code+1))

# Execute and store the printed string in /tmp
chroot ${install_top} /bin/sh -c '/tmp/openssl_engine_path > /tmp/enginesdir'

# Bring the string up here (in its file) and clean up
cp "${install_top}"/tmp/enginesdir "${build_top}"/enginesdir
rm -f "${install_top}"/tmp/openssl_engine_path "${install_top}"/tmp/enginesdir

-----Original Message-----
From: Fredrik Ternerot <fredrik.trot@...>
Sent: Friday, December 21, 2018 4:37 PM
To: Doug Fraser <doug.fraser@...>
Cc: openssl-tpm2-engine@groups.io
Subject: Re: [openssl-tpm2-engine] TSS aligned with TPM2 engine

On Fri, Dec 21, 2018 at 8:11 PM Doug Fraser <doug.fraser@...> wrote:

Fred,

Thanks for your response.

I have some ideas how I am going to install at this point, but I am curious how you are determining your OpenSSL engine directory for your specific target?
We are actually building OpenSSL on our target, so I have two options:

1) grep for OPENSSL_ENGINES_DIR in the build artifacts and process
that. *it is indeed, there..... ugly, but useable*
2) after cross building and installing openssl, cross building a small test application that does nothing more than "puts(OpenSSL_version(OPENSSL_ENGINES_DIR));" and running that in chroot on target.

Those are the two methods I have at hand, did you use one of these? Or a third way?
Sorry but I have no good solution for this either, I'm basically hard coding the engines dir. I will try to clean up my changes after the holidays and if I come up with some good solution I will let you know.

I also have some other workarounds that I probably should send mails about. In short one problem regarding padding for RSA decrypt when using openssl 1.0.x (not seen when using 1.1) and one problem regarding permission of TSS tmp dir when the application is changing user (in my case Apache httpd loads the keys as root but using them as another user).

Fredrik Ternerot


Thanks for the reply!

Douglas Fraser

-----Original Message-----
From: Fredrik Ternerot <fredrik.trot@...>
Sent: Friday, December 21, 2018 1:59 PM
To: openssl-tpm2-engine@groups.io; Doug Fraser <doug.fraser@...>
Subject: Re: [openssl-tpm2-engine] TSS aligned with TPM2 engine

============

#$ sed -i 's/ create_tpm2_key.1//' Makefile.am
I actually do almost exactly the same fix. I'm also cross compiling for 32-bit armv7 using OpenEmbedded.


This removes a documentation dependency on help2man.
This is required because I am cross-compiling, and I cannot execute `create_tpm2_key --help` on the build host to extract the document.

It would be helpful if there were a configure option to block documentation generation completely.
I agree.


In addition, when I `make install`, everything goes well until it runs libtool on libtpm2(.la/.so), where it installs it on my host, not on my cross target.
It is not honoring --prefix for the cross target libraries, only the binary.
In case you wonder, I haven't checked this since I'm using a custom install variant in my bitbake recipe instead of relying on 'make install'.

Fredrik Ternerot

James Bottomley
 

On Fri, 2018-12-21 at 15:22 +0000, Doug Fraser wrote:
[...]
On to openssl-tpm2-engine:

I had to make one small change to openssl-tpm2-engine before running
bootstrap/configure prior to the build.
Right after pulling the git tree, at the top of the tree I do:

#$ sed -i 's/ create_tpm2_key.1//' Makefile.am

This removes a documentation dependency on help2man.
This is required because I am cross-compiling, and I cannot execute
`create_tpm2_key --help` on the build host to extract the document.

It would be helpful if there were a configure option to block
documentation generation completely.
Well, as I said, I've never actually done a cross compile. However,
leafing through the somewhat confusing automake documentation on cross
compiles, I think this is the fix.

James

---

diff --git a/Makefile.am b/Makefile.am
index 8c24dbe..7d3b645 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,8 +1,11 @@
-EXTRA_DIST = README openssl.cnf.sample create_tpm2_key.1
+EXTRA_DIST = README openssl.cnf.sample

+if NATIVE_BUILD
+EXTRA_DIST += create_tpm2_key.1
man1_MANS = create_tpm2_key.1

CLEANFILES = $(man1_MANS)
+endif

openssl_engine_LTLIBRARIES=libtpm2.la
bin_PROGRAMS=create_tpm2_key
diff --git a/configure.ac b/configure.ac
index ea544ea..a96206c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -4,6 +4,8 @@

AC_INIT(openssl-tpm2-engine, 2.1.0, <James.Bottomley@...>)
AM_INIT_AUTOMAKE(1.6.3)
+AC_CANONICAL_HOST
+AM_CONDITIONAL(NATIVE_BUILD, test "x$cross_compiling" = "xno")

AM_MISSING_PROG(HELP2MAN, help2man)

Fredrik Ternerot
 

On Sat, Dec 22, 2018 at 7:21 PM James Bottomley
<James.Bottomley@...> wrote:

On Fri, 2018-12-21 at 15:22 +0000, Doug Fraser wrote:
[...]
On to openssl-tpm2-engine:

I had to make one small change to openssl-tpm2-engine before running
bootstrap/configure prior to the build.
Right after pulling the git tree, at the top of the tree I do:

#$ sed -i 's/ create_tpm2_key.1//' Makefile.am

This removes a documentation dependency on help2man.
This is required because I am cross-compiling, and I cannot execute
`create_tpm2_key --help` on the build host to extract the document.

It would be helpful if there were a configure option to block
documentation generation completely.
Well, as I said, I've never actually done a cross compile. However,
leafing through the somewhat confusing automake documentation on cross
compiles, I think this is the fix.
I can confirm that this solves the problem with help2man for me.

The changes in configure.ac are present in the latest commit (b43aa97
Version: 2.1.1). Would you mind to add the changes in Makefile.am as
well?

Thanks,
Fredrik


James

---

diff --git a/Makefile.am b/Makefile.am
index 8c24dbe..7d3b645 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,8 +1,11 @@
-EXTRA_DIST = README openssl.cnf.sample create_tpm2_key.1
+EXTRA_DIST = README openssl.cnf.sample

+if NATIVE_BUILD
+EXTRA_DIST += create_tpm2_key.1
man1_MANS = create_tpm2_key.1

CLEANFILES = $(man1_MANS)
+endif

openssl_engine_LTLIBRARIES=libtpm2.la
bin_PROGRAMS=create_tpm2_key
diff --git a/configure.ac b/configure.ac
index ea544ea..a96206c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -4,6 +4,8 @@

AC_INIT(openssl-tpm2-engine, 2.1.0, <James.Bottomley@...>)
AM_INIT_AUTOMAKE(1.6.3)
+AC_CANONICAL_HOST
+AM_CONDITIONAL(NATIVE_BUILD, test "x$cross_compiling" = "xno")

AM_MISSING_PROG(HELP2MAN, help2man)



James Bottomley
 

On Mon, 2019-01-14 at 14:47 +0100, Fredrik Ternerot wrote:
On Sat, Dec 22, 2018 at 7:21 PM James Bottomley
<James.Bottomley@...> wrote:

On Fri, 2018-12-21 at 15:22 +0000, Doug Fraser wrote:
[...]
On to openssl-tpm2-engine:

I had to make one small change to openssl-tpm2-engine before
running
bootstrap/configure prior to the build.
Right after pulling the git tree, at the top of the tree I do:

#$ sed -i 's/ create_tpm2_key.1//' Makefile.am

This removes a documentation dependency on help2man.
This is required because I am cross-compiling, and I cannot
execute
`create_tpm2_key --help` on the build host to extract the
document.

It would be helpful if there were a configure option to block
documentation generation completely.
Well, as I said, I've never actually done a cross
compile.  However,
leafing through the somewhat confusing automake documentation on
cross
compiles, I think this is the fix.
I can confirm that this solves the problem with help2man for me.

The changes in configure.ac are present in the latest commit (b43aa97
Version: 2.1.1). Would you mind to add the changes in Makefile.am as
well?
Heh, well, I was supposed to be keeping that local to my tree until
someone tested it, but it must have got partially pushed with the
version update. Thanks for testing, I've added a commit for the rest
of the Makefile stuff. Note, I don't think this is sufficient, but
like I said I got out of cross compiling ages ago mainly because of the
need to run make check, so I only use emulation containers nowadays, so
I'm betting there will be other issues.

James

Fredrik Ternerot
 

On Mon, Jan 14, 2019 at 3:38 PM James Bottomley
<James.Bottomley@...> wrote:

On Mon, 2019-01-14 at 14:47 +0100, Fredrik Ternerot wrote:
On Sat, Dec 22, 2018 at 7:21 PM James Bottomley
<James.Bottomley@...> wrote:

On Fri, 2018-12-21 at 15:22 +0000, Doug Fraser wrote:
[...]
On to openssl-tpm2-engine:

I had to make one small change to openssl-tpm2-engine before
running
bootstrap/configure prior to the build.
Right after pulling the git tree, at the top of the tree I do:

#$ sed -i 's/ create_tpm2_key.1//' Makefile.am

This removes a documentation dependency on help2man.
This is required because I am cross-compiling, and I cannot
execute
`create_tpm2_key --help` on the build host to extract the
document.

It would be helpful if there were a configure option to block
documentation generation completely.
Well, as I said, I've never actually done a cross
compile. However,
leafing through the somewhat confusing automake documentation on
cross
compiles, I think this is the fix.
I can confirm that this solves the problem with help2man for me.

The changes in configure.ac are present in the latest commit (b43aa97
Version: 2.1.1). Would you mind to add the changes in Makefile.am as
well?
Heh, well, I was supposed to be keeping that local to my tree until
someone tested it, but it must have got partially pushed with the
version update. Thanks for testing, I've added a commit for the rest
of the Makefile stuff. Note, I don't think this is sufficient, but
like I said I got out of cross compiling ages ago mainly because of the
need to run make check, so I only use emulation containers nowadays, so
I'm betting there will be other issues.
You are right, another issue is the detection of enginesdir in
configure.ac. This is done by generating a test program that is
compiled and executed, which doesn't work when cross compiling. Do you
know any other ways to do it?

Thanks,
Fredrik

James Bottomley
 

On Mon, 2019-01-21 at 12:01 +0100, Fredrik Ternerot wrote:
On Mon, Jan 14, 2019 at 3:38 PM James Bottomley
<James.Bottomley@...> wrote:

On Mon, 2019-01-14 at 14:47 +0100, Fredrik Ternerot wrote:
On Sat, Dec 22, 2018 at 7:21 PM James Bottomley
<James.Bottomley@...> wrote:

On Fri, 2018-12-21 at 15:22 +0000, Doug Fraser wrote:
[...]
On to openssl-tpm2-engine:

I had to make one small change to openssl-tpm2-engine before
running bootstrap/configure prior to the build.
Right after pulling the git tree, at the top of the tree I
do:

#$ sed -i 's/ create_tpm2_key.1//' Makefile.am

This removes a documentation dependency on help2man.
This is required because I am cross-compiling, and I cannot
execute
`create_tpm2_key --help` on the build host to extract the
document.

It would be helpful if there were a configure option to block
documentation generation completely.
Well, as I said, I've never actually done a cross
compile. However, leafing through the somewhat confusing
automake documentation on cross compiles, I think this is the
fix.
I can confirm that this solves the problem with help2man for me.

The changes in configure.ac are present in the latest commit
(b43aa97 Version: 2.1.1). Would you mind to add the changes in
Makefile.am as well?
Heh, well, I was supposed to be keeping that local to my tree until
someone tested it, but it must have got partially pushed with the
version update. Thanks for testing, I've added a commit for the
rest of the Makefile stuff. Note, I don't think this is
sufficient, but like I said I got out of cross compiling ages ago
mainly because of the need to run make check, so I only use
emulation containers nowadays, so I'm betting there will be other
issues.
You are right, another issue is the detection of enginesdir in
configure.ac. This is done by generating a test program that is
compiled and executed, which doesn't work when cross compiling. Do
you know any other ways to do it?
Yes, we can use pkg-config to get that. The reason we didn't before is
that openSUSE actually had the wrong directory in the openssl.pc file
(so you couldn't build working engines on openSUSE unless you detected the engines directory yourself). They've since fixed this as a bug and it should now work on all distributions.

James

Fredrik Ternerot
 

On Mon, Jan 14, 2019 at 2:48 PM Fredrik Ternerot via Groups.Io
<fredrik.trot=gmail.com@groups.io> wrote:

On Sat, Dec 22, 2018 at 7:21 PM James Bottomley
<James.Bottomley@...> wrote:

On Fri, 2018-12-21 at 15:22 +0000, Doug Fraser wrote:
[...]
On to openssl-tpm2-engine:

I had to make one small change to openssl-tpm2-engine before running
bootstrap/configure prior to the build.
Right after pulling the git tree, at the top of the tree I do:

#$ sed -i 's/ create_tpm2_key.1//' Makefile.am

This removes a documentation dependency on help2man.
This is required because I am cross-compiling, and I cannot execute
`create_tpm2_key --help` on the build host to extract the document.

It would be helpful if there were a configure option to block
documentation generation completely.
Well, as I said, I've never actually done a cross compile. However,
leafing through the somewhat confusing automake documentation on cross
compiles, I think this is the fix.
I can confirm that this solves the problem with help2man for me.
This did solve it for me when it comes to building for target, but
when building for native (needed for unittests) I still have problem
because help2man is not available in my build environment. As
previously suggested, it would be helpful if there was a configure
option to disable man page generation completely. Would that be an
acceptable option to add?

Fredrik