JakeHillion/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #210896 from NickCao/systemd-tpm2

Browse Source 
systemd: fix tpm2 driver init
This commit is contained in:
Nick Cao 2023-01-18 13:41:00 +08:00 committed by GitHub
commit f04182510f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 45 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
pkgs/os-specific/linux/systemd/0019-tpm2_context_init-fix-driver-name-checking.patch Normal file
View File

@ -0,0 +1,44 @@
From 236e9281cb158be3191c500524fbc5f397a25e03 Mon Sep 17 00:00:00 2001
From: Nick Cao <nickcao@nichi.co>
Date: Sun, 15 Jan 2023 20:15:55 +0800
Subject: [PATCH] tpm2_context_init: fix driver name checking
https://github.com/systemd/systemd/commit/542dbc623e introduced
additional checks for tpm2 driver names, namely ensuring the driver
name, when concated with "libtss2-tcti-" and ".so.0", generates a valid
filename (with no '/' inside).
For example, if the driver is name "device", the line
fn = strjoina("libtss2-tcti-", driver, ".so.0")
would yield "libtss2-tcti-device.so.0", passing the check. And the
filename is then passed to dlopen for loading the driver.
Our current approach for systemd to correctly locate these dynamically
loaded libraries is to patch the filenames to include their absolute
path. Thus the line mentioned above is patched into
fn = strjoina("/nix/store/xxxxxxx-tpm2-tss-3.2.0/lib/libtss2-tcti-", driver, ".so.0")
yielding "/nix/store/xxxxxxx-tpm2-tss-3.2.0/lib/libtss2-tcti-device.so.0",
tripping the check.
This patch relaxes the check to also accept absolute paths, by replacing
filename_is_valid with path_is_valid.
---
src/shared/tpm2-util.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c
index ba8dfb041d..7de5d5fc77 100644
--- a/src/shared/tpm2-util.c
+++ b/src/shared/tpm2-util.c
@@ -192,7 +192,7 @@ int tpm2_context_init(const char *device, struct tpm2_context *ret) {
fn = strjoina("libtss2-tcti-", driver, ".so.0");
/* Better safe than sorry, let's refuse strings that cannot possibly be valid driver early, before going to disk. */
- if (!filename_is_valid(fn))
+ if (!path_is_valid(fn))
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "TPM2 driver name '%s' not valid, refusing.", driver);
dl = dlopen(fn, RTLD_NOW);
--
2.39.0

1
pkgs/os-specific/linux/systemd/default.nix
View File

@ -174,6 +174,7 @@ stdenv.mkDerivation {
./0016-pkg-config-derive-prefix-from-prefix.patch ./0016-pkg-config-derive-prefix-from-prefix.patch
./0017-inherit-systemd-environment-when-calling-generators.patch ./0017-inherit-systemd-environment-when-calling-generators.patch
./0018-core-don-t-taint-on-unmerged-usr.patch ./0018-core-don-t-taint-on-unmerged-usr.patch
./0019-tpm2_context_init-fix-driver-name-checking.patch
] ++ lib.optional stdenv.hostPlatform.isMusl ( ] ++ lib.optional stdenv.hostPlatform.isMusl (
let let
oe-core = fetchzip { oe-core = fetchzip {