diff --git a/pkgs/tools/security/chaps/default.nix b/pkgs/tools/security/chaps/default.nix new file mode 100644 index 000000000000..9a2ae0b5114b --- /dev/null +++ b/pkgs/tools/security/chaps/default.nix @@ -0,0 +1,81 @@ +{ stdenv, fetchgit, fetchurl, trousers, leveldb, unzip, scons, pkgconfig +, glib, dbus_cplusplus, dbus, protobuf, openssl, snappy, pam }: + +let + src_chromebase = fetchgit { + url = "https://chromium.googlesource.com/chromium/src/base.git"; + rev = "2dfe404711e15e24e79799516400c61b2719d7af"; + sha256 = "2bd93a3ace4b6767db2c1bd1e16f426c97b8d2133a9cb15f8372b2516cfa65c5"; + }; + + src_gmock = fetchurl { + url = "https://googlemock.googlecode.com/files/gmock-1.7.0.zip"; + sha256 = "0nq98cpnv2jsx2byp4ilam6kydcnziflkc16ikydajmp4mcvpz16"; + }; + + src_platform2 = fetchgit { + url = "https://chromium.googlesource.com/chromiumos/platform2"; + rev = "e999e989eaa71c3db7314fc7b4e20829b2b5473b"; + sha256 = "bb43ef7918ec6219711cbba3ce91236413738f1341261a1845256b3d6cc9f843"; + }; + +in + +stdenv.mkDerivation rec { + name = "chaps-0.42-6812"; + version = "0.42-6812"; + + src = fetchgit { + url = "https://github.com/google/chaps-linux"; + rev = "989aadc45cdb216ca35b0c97d13fc691576fa1d7"; + sha256 = "c58e08e89d36050cd831116819d555f0e24e7bf11047cb18f2a2eead45ba67be"; + }; + + patches = [ ./fix_absolute_path.patch ./fix_environment_variables.patch ./fix_scons.patch ./insert_prefetches.patch ]; + + postPatch = '' + substituteInPlace makefile --replace @@NIXOS_SRC_CHROMEBASE@@ ${src_chromebase} + substituteInPlace makefile --replace @@NIXOS_SRC_GMOCK@@ ${src_gmock} + substituteInPlace makefile --replace @@NIXOS_SRC_PLATFORM2@@ ${src_platform2} + substituteInPlace makefile --replace @@NIXOS_LEVELDB@@ ${leveldb} + ''; + + nativeBuildInputs = [ unzip scons pkgconfig ]; + + buildInputs = [ trousers glib dbus_cplusplus dbus protobuf openssl snappy leveldb pam ]; + + buildPhase = '' + make build + ''; + + installPhase = '' + mkdir -p $out/bin + cp ${name}/out/chapsd $out/bin/. + cp ${name}/out/chaps_client $out/bin/. + + mkdir -p $out/lib + cp ${name}/out/libchaps.so.* $out/lib/. + mkdir -p $out/lib/security + cp ${name}/out/pam_chaps.so $out/lib/security/. + + mkdir -p $out/include + cp -r ${name}/out/chaps $out/include/. + + mkdir -p $out/etc/dbus-1/system.d + cp ${name}/out/org.chromium.Chaps.conf $out/etc/dbus-1/system.d/. + mkdir -p $out/etc/dbus-1/system-services + cp ${name}/platform2/chaps/org.chromium.Chaps.service $out/etc/dbus-1/system-services/. + + mkdir -p $out/usr/share/pam-configs/chaps + mkdir -p $out/usr/share/man/man8 + cp ${name}/man/* $out/usr/share/man/man8/. + ''; + + meta = with stdenv.lib; { + description = "PKCS #11 implementation based on trusted platform module (TPM)"; + homepage = "https://www.chromium.org/developers/design-documents/chaps-technical-design"; + maintainers = [ maintainers.tstrobel ]; + platforms = platforms.linux; + license = licenses.bsd3; + }; +} diff --git a/pkgs/tools/security/chaps/fix_absolute_path.patch b/pkgs/tools/security/chaps/fix_absolute_path.patch new file mode 100644 index 000000000000..7dbd60c73c42 --- /dev/null +++ b/pkgs/tools/security/chaps/fix_absolute_path.patch @@ -0,0 +1,18 @@ +diff --git a/patches/platform2/fix_echo.patch b/patches/platform2/fix_echo.patch +new file mode 100644 +index 0000000..d2272f6 +--- /dev/null ++++ b/patches/platform2/fix_echo.patch +@@ -0,0 +1,12 @@ ++diff -uNr platform2/common-mk/common.mk platform2-new/common-mk/common.mk ++--- platform2/common-mk/common.mk 2015-07-03 12:07:47.482745292 +0200 +++++ platform2-new/common-mk/common.mk 2015-07-03 12:08:16.868600569 +0200 ++@@ -263,7 +263,7 @@ ++ $(eval $(call override_var,STRIP,strip)) ++ ++ RMDIR ?= rmdir ++-ECHO = /bin/echo -e +++ECHO = echo -e ++ ++ ifeq ($(lastword $(subst /, ,$(CC))),clang) ++ CDRIVER = clang diff --git a/pkgs/tools/security/chaps/fix_environment_variables.patch b/pkgs/tools/security/chaps/fix_environment_variables.patch new file mode 100644 index 000000000000..2d7ee0d9a734 --- /dev/null +++ b/pkgs/tools/security/chaps/fix_environment_variables.patch @@ -0,0 +1,42 @@ +diff --git a/extrasrc/Makefile b/extrasrc/Makefile +index fb95845..77125c0 100644 +--- a/extrasrc/Makefile ++++ b/extrasrc/Makefile +@@ -10,11 +10,11 @@ OUTDIR=$(SRCDIR)/out + GMOCK_DIR=$(SRCDIR)/gmock-$(GMOCK_VER) + GTEST_DIR=$(GMOCK_DIR)/gtest + +-INCLUDES="-I$(SRCDIR)/include -I$(SRCDIR)/platform2/libchromeos -isystem $(GTEST_DIR)/include -I$(GMOCK_DIR)/include -I$(SRCDIR)/leveldb/include" ++INCLUDES="-I$(SRCDIR)/include -I$(SRCDIR)/platform2/libchromeos -isystem $(GTEST_DIR)/include -I$(GMOCK_DIR)/include -I$(SRCDIR)/leveldb/include $(NIX_LDFLAG) $(NIX_CFLAGS_COMPILE)" + + # To build Chaps, defer to platform2/chaps/Makefile + all: libchrome-$(BASE_VER).a libchromeos-$(BASE_VER).a | out +- cd platform2/chaps && BASE_VER=$(BASE_VER) LINUX_BUILD=1 PKG_CONFIG_PATH=$(SRCDIR) CXXFLAGS=$(INCLUDES) OUT=$(OUTDIR) CHAPS_VERSION_MAJOR=$(CHAPS_VERSION_MAJOR) CHAPS_VERSION_MINOR=$(CHAPS_VERSION_MINOR) $(MAKE) ++ cd platform2/chaps && BASE_VER=$(BASE_VER) LINUX_BUILD=1 PKG_CONFIG_PATH=$(SRCDIR):$(PKG_CONFIG_PATH) CXXFLAGS=$(INCLUDES) OUT=$(OUTDIR) CHAPS_VERSION_MAJOR=$(CHAPS_VERSION_MAJOR) CHAPS_VERSION_MINOR=$(CHAPS_VERSION_MINOR) $(MAKE) + + # To build required Chromium components, defer to scons file. + libchrome-$(BASE_VER).a: +@@ -38,7 +38,7 @@ out/libgmock.a: out/gmock-all.o + ar -rv $@ $< + + test: out/libgtest.a out/libgmock.a libchrome-$(BASE_VER).a libchromeos-$(BASE_VER).a | out +- cd platform2/chaps && BASE_VER=$(BASE_VER) LINUX_BUILD=1 PKG_CONFIG_PATH=$(SRCDIR) CXXFLAGS=$(INCLUDES) LDLIBS="-L$(OUTDIR)" OUT=$(OUTDIR) $(MAKE) tests ++ cd platform2/chaps && BASE_VER=$(BASE_VER) LINUX_BUILD=1 PKG_CONFIG_PATH=$(SRCDIR):$(PKG_CONFIG_PATH) CXXFLAGS=$(INCLUDES) LDLIBS="-L$(OUTDIR)" OUT=$(OUTDIR) $(MAKE) tests + + clean: clean_chaps clean_chromeos clean_chromebase clean_gmock clean_debian + clean_gmock: +@@ -49,7 +49,7 @@ clean_chromebase: + clean_chromeos: + -BASE_VER=$(BASE_VER) scons -f Sconstruct.libchromeos -c + clean_chaps: +- -cd platform2/chaps && BASE_VER=$(BASE_VER) LINUX_BUILD=1 PKG_CONFIG_PATH=$(SRCDIR) $(MAKE) clean ++ -cd platform2/chaps && BASE_VER=$(BASE_VER) LINUX_BUILD=1 PKG_CONFIG_PATH=$(SRCDIR):$(PKG_CONFIG_PATH) $(MAKE) clean + rm -rf out + clean_debian: + dh_clean +@@ -64,4 +64,4 @@ install_man: + $(INSTALL) -m 0644 -D man/chapsd.8 $(MANDIR)/man8/chapsd.8 + $(INSTALL) -m 0644 -D man/chaps_client.8 $(MANDIR)/man8/chaps_client.8 + install: install_man +- cd platform2/chaps && BASE_VER=$(BASE_VER) LINUX_BUILD=1 PKG_CONFIG_PATH=$(SRCDIR) CXXFLAGS=$(INCLUDES) OUT=$(OUTDIR) CHAPS_VERSION_MAJOR=$(CHAPS_VERSION_MAJOR) CHAPS_VERSION_MINOR=$(CHAPS_VERSION_MINOR) $(MAKE) install_files ++ cd platform2/chaps && BASE_VER=$(BASE_VER) LINUX_BUILD=1 PKG_CONFIG_PATH=$(SRCDIR):$(PKG_CONFIG_PATH) CXXFLAGS=$(INCLUDES) OUT=$(OUTDIR) CHAPS_VERSION_MAJOR=$(CHAPS_VERSION_MAJOR) CHAPS_VERSION_MINOR=$(CHAPS_VERSION_MINOR) $(MAKE) install_files diff --git a/pkgs/tools/security/chaps/fix_scons.patch b/pkgs/tools/security/chaps/fix_scons.patch new file mode 100644 index 000000000000..54843453c868 --- /dev/null +++ b/pkgs/tools/security/chaps/fix_scons.patch @@ -0,0 +1,26 @@ +diff --git a/extrasrc/Sconstruct.libchrome b/extrasrc/Sconstruct.libchrome +index 4feb76d..311fe8a 100644 +--- a/extrasrc/Sconstruct.libchrome ++++ b/extrasrc/Sconstruct.libchrome +@@ -103,7 +103,7 @@ base_lib = { + 'pc_libs' : 'glib-2.0', + } + +-env = Environment() ++env = Environment(ENV = os.environ) + + BASE_VER = os.environ.get('BASE_VER', '0') + GTEST_DIR = os.environ.get('GTEST_DIR', '0') +diff --git a/extrasrc/Sconstruct.libchromeos b/extrasrc/Sconstruct.libchromeos +index 1da6001..66f9acb 100644 +--- a/extrasrc/Sconstruct.libchromeos ++++ b/extrasrc/Sconstruct.libchromeos +@@ -18,7 +18,7 @@ base_lib = { + 'pc_libs' : 'dbus-c++-1', + } + +-env = Environment() ++env = Environment(ENV = os.environ) + + PKG_CONFIG = os.environ.get('PKG_CONFIG', 'pkg-config') + BASE_VER = os.environ.get('BASE_VER', '0') diff --git a/pkgs/tools/security/chaps/insert_prefetches.patch b/pkgs/tools/security/chaps/insert_prefetches.patch new file mode 100644 index 000000000000..8b8449a6e661 --- /dev/null +++ b/pkgs/tools/security/chaps/insert_prefetches.patch @@ -0,0 +1,51 @@ +diff --git a/makefile b/makefile +index b6865f3..c14f5ec 100644 +--- a/makefile ++++ b/makefile +@@ -53,8 +53,8 @@ $(SRCDIR)/include/trousers/scoped_tss_type.h: extrasrc/scoped_tss_type.h | $(SRC + cp $< $@ + # Chromium includes . This requires an install of libleveldb-dev that has + # memenv support included; move this into a local leveldb/ subdirectory +-$(SRCDIR)/include/leveldb/memenv.h: /usr/include/leveldb/helpers/memenv.h | $(SRCDIR)/include/leveldb +- cp $< $@ ++$(SRCDIR)/include/leveldb/memenv.h: $(SRCDIR)/include/leveldb ++ cp @@NIXOS_LEVELDB@@/include/leveldb/helpers/memenv.h $@ + # Chromium includes , so have a local copy. + $(SRCDIR)/include/testing/gtest/include/gtest/gtest_prod.h: extrasrc/gtest_prod.h | $(SRCDIR)/include/testing/gtest/include/gtest + cp $< $@ +@@ -80,7 +80,7 @@ GMOCK_DIR=$(SRCDIR)/gmock-$(GMOCK_VERSION) + GTEST_DIR=$(GMOCK_DIR)/gtest + src_gmock: $(GMOCK_DIR)/LICENSE + $(GMOCK_DIR)/LICENSE: | $(SRCDIR) +- cd $(SRCDIR) && wget $(GMOCK_URL) ++ cd $(SRCDIR) && cp @@NIXOS_SRC_GMOCK@@ gmock-$(GMOCK_VERSION).zip && chmod +w gmock-$(GMOCK_VERSION).zip + cd $(SRCDIR) && unzip -q gmock-$(GMOCK_VERSION).zip + rm $(SRCDIR)/gmock-$(GMOCK_VERSION).zip + touch $@ +@@ -107,8 +107,7 @@ src_chromebase: $(SRCDIR)/base/base64.h + $(SRCDIR)/base: | $(SRCDIR) + mkdir -p $@ + $(SRCDIR)/base/base64.h: | $(SRCDIR)/base +- git clone $(CHROMEBASE_GIT) $(SRCDIR)/base +- cd $(SRCDIR)/base && git checkout $(CHROMEBASE_COMMIT) ++ cp -r @@NIXOS_SRC_CHROMEBASE@@/. $(SRCDIR)/base && chmod -R +w $(SRCDIR)/base + + # We need two subdirectories from the platform2 repository from ChromiumOS: + # - chaps/ for the Chaps source code +@@ -119,14 +118,8 @@ $(SRCDIR)/platform2: + PLATFORM2_GIT=https://chromium.googlesource.com/chromiumos/platform2 + PATCHES=$(wildcard $(CURDIR)/patches/platform2/*.patch) + $(SRCDIR)/platform2/chaps/Makefile: | $(SRCDIR)/platform2 +- cd $(SRCDIR)/platform2 && git init . && git remote add -f origin $(PLATFORM2_GIT) +- cd $(SRCDIR)/platform2 && git config core.sparsecheckout true +- cd $(SRCDIR)/platform2 && echo "chaps" > .git/info/sparse-checkout +- cd $(SRCDIR)/platform2 && echo "libchromeos/chromeos" >> .git/info/sparse-checkout +- cd $(SRCDIR)/platform2 && echo "common-mk/common.mk" >> .git/info/sparse-checkout +- cd $(SRCDIR)/platform2 && git pull origin master +- cd $(SRCDIR)/platform2 && git checkout $(CROS_BRANCH) +- cd $(SRCDIR)/platform2 && if [ ! -z "$(PATCHES)" ]; then git am $(PATCHES); fi ++ cd $(SRCDIR)/platform2 && cp -r @@NIXOS_SRC_PLATFORM2@@/. . && chmod -R +w $(SRCDIR)/platform2 ++ cd $(SRCDIR)/platform2 && if [ ! -z "$(PATCHES)" ]; then patch -p1 < $(PATCHES); fi + + + # Copy man pages diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 46daef79b3ae..f9727c7bd01b 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -3105,6 +3105,8 @@ let tpm-tools = callPackage ../tools/security/tpm-tools { }; + chaps = callPackage ../tools/security/chaps { }; + trace-cmd = callPackage ../os-specific/linux/trace-cmd { }; traceroute = callPackage ../tools/networking/traceroute { };