[Buildroot] [PATCH v2,1/2] package/wolftpm: fix dependencies

Fabrice Fontaine fontaine.fabrice at gmail.com
Wed Jun 15 07:30:16 UTC 2022 

Hi Dimi,

Le mer. 15 juin 2022 à 09:10, Dimi Tomov <dimi at tpm.dev> a écrit :
>
> Hi Yann,
>
> I just noticed one really bad typo. I could submit a patch that also
> adds extra wolfTPM options, so it is not a one-word patch.
>
> "Enable wolfCrypt hooks for RNG, Auth Sessions and Parameter encryption.
> "

This sentence was copy/pasted from wolftpm's configure.ac/README.md:
https://github.com/wolfSSL/wolfTPM/blob/160b3e04f6121aa7429f030c570bd86239ca01b8/configure.ac#L154
I would advise to also send them a PR if this is incorrect.

However, after a quick search on upstream github, it seems that
wolftpm supports hardware and software RNG through
WOLFTPM2_USE_{HW,WOLF}_RNG:
https://github.com/wolfSSL/wolfTPM/blob/160b3e04f6121aa7429f030c570bd86239ca01b8/wolftpm/tpm2_wrap.h#L1685

It even seems that WOLFTPM2_USE_HW_RNG is not defined by default
resulting in WOLFTPM2_USE_WOLF_RNG being used as soon as wolfcrypt is
available:
https://github.com/wolfSSL/wolfTPM/blob/5dd781e4717422b717021ed1dd8aeb226d98e480/wolftpm/tpm2.h#L1694

So, IMHO, the sentence is not incorrect and an option to enable
hardware RNG is needed.

>
> The TPM chip is the source of RNG. To claim that a TPM 2.0 library is
> using a Software-based source of RNG would be a red flag for users. The
> rest is accurate - wolfCrypt is used by wolfTPM to establish Session and
> Parameter encryption between the Host CPU and the TPM chip.
>
> Thanks,
> Dimi
>
> On 2022-06-12 06:19 PM, Yann E. MORIN wrote:
> > Fabrice, All,
> >
> > On 2022-06-12 10:45 +0200, Fabrice Fontaine spake thusly:
> >> pkg-config is not used by wolftpm and wolfssl dependency is missing
> >> (and
> >> optional but highly recommended) resulting in the following build
> >> failure
> >> since the addition of the package in commit
> >> 4bb884a3c61c6b71e33f69453a90eb2a367f64b7:
> >>
> >> configure: error: WolfSSL library not found. You can get it from
> >> http://www.wolfssl.com/download.html
> >>         If it's already installed, specify its path using
> >> --with-wolfcrypt=/dir or --prefix=/dir
> >>
> >> Fixes:
> >>  -
> >> http://autobuild.buildroot.org/results/77a93521b909e701ef4e86f18524258b9242c721
> >>
> >> Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
> >
> > Both patches applied to master, thanks.
> >
> > Regards,
> > Yann E. MORIN.
> >
> >> ---
> >> Changes v1 -> v2 (after review of Dimi Tomov):
> >>  - Add a wolfcrypt option which is enabled by default
> >>
> >>  package/wolftpm/Config.in  | 23 ++++++++++++++++++-----
> >>  package/wolftpm/wolftpm.mk | 13 ++++++++++---
> >>  2 files changed, 28 insertions(+), 8 deletions(-)
> >>
> >> diff --git a/package/wolftpm/Config.in b/package/wolftpm/Config.in
> >> index 0fe094f277..0b964c3d7e 100644
> >> --- a/package/wolftpm/Config.in
> >> +++ b/package/wolftpm/Config.in
> >> @@ -1,9 +1,5 @@
> >>  config BR2_PACKAGE_WOLFTPM
> >>      bool "wolftpm"
> >> -    depends on BR2_TOOLCHAIN_HAS_THREADS
> >> -    depends on !BR2_STATIC_LIBS
> >> -    select BR2_PACKAGE_WOLFSSL
> >> -    select BR2_PACKAGE_WOLFSSL_ALL
> >>      help
> >>        wolfTPM is a portable, open-source TPM 2.0 stack with
> >>        backward API compatibility, designed for embedded use.
> >> @@ -12,5 +8,22 @@ config BR2_PACKAGE_WOLFTPM
> >>
> >>        https://www.wolfssl.com/
> >>
> >> -comment "wolftpm needs a toolchain w/ threads, dynamic library"
> >> +if BR2_PACKAGE_WOLFTPM
> >> +
> >> +config BR2_PACKAGE_WOLFTPM_WOLFCRYPT
> >> +    bool "wolfCrypt hooks"
> >> +    default y
> >> +    depends on BR2_TOOLCHAIN_HAS_THREADS # wolfssl
> >> +    depends on !BR2_STATIC_LIBS # wolfssl-all
> >> +    select BR2_PACKAGE_WOLFSSL
> >> +    # not mandatory, but needed to get all features
> >> +    select BR2_PACKAGE_WOLFSSL_ALL
> >> +    help
> >> +      Enable wolfCrypt hooks for RNG, Auth Sessions and Parameter
> >> +      encryption. Disabling this option is not recommended as it
> >> +      could create a security breach in most environments.
> >> +
> >> +comment "wolfCrypt hooks need a toolchain w/ threads, dynamic
> >> library"
> >>      depends on !BR2_TOOLCHAIN_HAS_THREADS || BR2_STATIC_LIBS
> >> +
> >> +endif
> >> diff --git a/package/wolftpm/wolftpm.mk b/package/wolftpm/wolftpm.mk
> >> index ea01eaad6b..760656e134 100644
> >> --- a/package/wolftpm/wolftpm.mk
> >> +++ b/package/wolftpm/wolftpm.mk
> >> @@ -10,7 +10,6 @@ WOLFTPM_INSTALL_STAGING = YES
> >>  WOLFTPM_LICENSE = GPL-2.0+
> >>  WOLFTPM_LICENSE_FILES = LICENSE
> >>  WOLFTPM_CPE_ID_VENDOR = wolfssl
> >> -WOLFTPM_DEPENDENCIES = host-pkgconf
> >>  WOLFTPM_CONFIG_SCRIPTS = wolftpm-config
> >>
> >>  # wolfTPM's source code is released without a configure script,
> >> @@ -19,8 +18,7 @@ WOLFTPM_AUTORECONF = YES
> >>
> >>  WOLFTPM_CONF_OPTS = \
> >>      --disable-examples \
> >> -    --enable-devtpm \
> >> -    --with-wolfcrypt=$(STAGING_DIR)/usr
> >> +    --enable-devtpm
> >>
> >>  # Fix for missing config.rpath in the codebase
> >>  define WOLFTPM_TOUCH_CONFIG_RPATH
> >> @@ -29,4 +27,13 @@ define WOLFTPM_TOUCH_CONFIG_RPATH
> >>  endef
> >>  WOLFTPM_PRE_CONFIGURE_HOOKS += WOLFTPM_TOUCH_CONFIG_RPATH
> >>
> >> +ifeq ($(BR2_PACKAGE_WOLFTPM_WOLFCRYPT),y)
> >> +WOLFTPM_CONF_OPTS += \
> >> +    --enable-wolfcrypt \
> >> +    --with-wolfcrypt=$(STAGING_DIR)/usr
> >> +WOLFTPM_DEPENDENCIES += wolfssl
> >> +else
> >> +WOLFTPM_CONF_OPTS += --disable-wolfcrypt
> >> +endif
> >> +
> >>  $(eval $(autotools-package))
> >> --
> >> 2.35.1
> >>
> >> _______________________________________________
> >> buildroot mailing list
> >> buildroot at buildroot.org
> >> https://lists.buildroot.org/mailman/listinfo/buildroot
>
> --
> Founder of TPM.dev

Best Regards,

Fabrice

More information about the buildroot mailing list