[Buildroot] [PATCH v2] libp11: Add new package for OpenSSL PKCS#11 engine

[Buildroot] [PATCH v2] libp11: Add new package for OpenSSL PKCS#11 engine

[Trent Piepho]

Library for using PKCS#11, which includes an engine for OpenSSL that
lets it use PKCS#11 modules.  Which is really what this package is
about, not that libp11 library itself, which has no users outside the of
OpenSSL engine.

If p11-kit is enabled, configure the engine to use that as the default
PKCS#11 module.  That module is a sort of multiplexer that allows
multiple modules to be used at once, so it makes sense to use it even if
there are other modules present, e.g. softhsm2, nssckbi, pkcs11-proxy,
ykcs11, etc.

A host package is created too, with a host configuration option.  Since
this a dynamically loaded module, there is no build time reason to
select it from a host package.  It could be used by host openssl, to
allow host rauc to sign a software update bundle using a key from a HSM
with a PKCS#11 interface.

Signed-off-by: Trent Piepho <tpiepho@impinj.com>
---
 package/Config.in             |  1 +
 package/Config.in.host        |  1 +
 package/libp11/Config.in      |  7 +++++++
 package/libp11/Config.in.host |  6 ++++++
 package/libp11/libp11.hash    |  3 +++
 package/libp11/libp11.mk      | 21 +++++++++++++++++++++
 6 files changed, 39 insertions(+)
 create mode 100644 package/libp11/Config.in
 create mode 100644 package/libp11/Config.in.host
 create mode 100644 package/libp11/libp11.hash
 create mode 100644 package/libp11/libp11.mk

diff --git a/package/Config.in b/package/Config.in
index f6252f2abb..940e7d2d2c 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -1177,6 +1177,7 @@ menu "Crypto"
 	source "package/libmcrypt/Config.in"
 	source "package/libmhash/Config.in"
 	source "package/libnss/Config.in"
+	source "package/libp11/Config.in"
 	source "package/libscrypt/Config.in"
 	source "package/libsecret/Config.in"
 	source "package/libsha1/Config.in"
diff --git a/package/Config.in.host b/package/Config.in.host
index 06fb2e1996..89b39b0007 100644
--- a/package/Config.in.host
+++ b/package/Config.in.host
@@ -31,6 +31,7 @@ menu "Host utilities"
 	source "package/imx-usb-loader/Config.in.host"
 	source "package/jq/Config.in.host"
 	source "package/jsmin/Config.in.host"
+	source "package/libp11/Config.in.host"
 	source "package/lpc3250loader/Config.in.host"
 	source "package/lttng-babeltrace/Config.in.host"
 	source "package/mfgtools/Config.in.host"
diff --git a/package/libp11/Config.in b/package/libp11/Config.in
new file mode 100644
index 0000000000..0b9a739db3
--- /dev/null
+++ b/package/libp11/Config.in
@@ -0,0 +1,7 @@
+config BR2_PACKAGE_LIBP11
+	bool "libp11"
+	select BR2_PACKAGE_OPENSSL
+	help
+	  OpenSSL engine for PKCS#11 modules.  Part of the OpenSC project.
+
+	  https://github.com/OpenSC/OpenSC/wiki
diff --git a/package/libp11/Config.in.host b/package/libp11/Config.in.host
new file mode 100644
index 0000000000..ccc171025a
--- /dev/null
+++ b/package/libp11/Config.in.host
@@ -0,0 +1,6 @@
+config BR2_PACKAGE_HOST_LIBP11
+	bool "host libp11"
+	help
+	  OpenSSL engine for PKCS#11 modules.  Part of the OpenSC project.
+
+	  https://github.com/OpenSC/OpenSC/wiki
diff --git a/package/libp11/libp11.hash b/package/libp11/libp11.hash
new file mode 100644
index 0000000000..01cea6466b
--- /dev/null
+++ b/package/libp11/libp11.hash
@@ -0,0 +1,3 @@
+# Locally computed:
+sha256 9d1c76d74c21ca224f96204982097ebc6b956f645b2b0b5f9c502a20e9ffcfd8  libp11-0.4.9.tar.gz
+sha256 d80c9d084ebfb50ea1ed91bfbc2410d6ce542097a32c43b00781b83adcb8c77f  COPYING
diff --git a/package/libp11/libp11.mk b/package/libp11/libp11.mk
new file mode 100644
index 0000000000..9dc098870e
--- /dev/null
+++ b/package/libp11/libp11.mk
@@ -0,0 +1,21 @@
+################################################################################
+#
+# libp11
+#
+################################################################################
+
+LIBP11_VERSION = 0.4.9
+LIBP11_SITE = https://github.com/OpenSC/libp11/releases/download/libp11-$(LIBP11_VERSION)
+LIBP11_DEPENDENCIES = openssl
+LIBP11_INSTALL_STAGING = YES
+LIBP11_LICENSE = LGPLv2.1
+LIBP11_LICENSE_FILES = COPYING
+
+ifeq ($(BR2_PACKAGE_P11_KIT),y)
+LIBP11_CONF_OPTS += --with-pkcs11-module=/usr/lib/p11-kit-proxy.so
+endif
+
+HOST_LIBP11_DEPENDENCIES = host-openssl
+
+$(eval $(autotools-package))
+$(eval $(host-autotools-package))
-- 
2.14.4

[Buildroot] [PATCH v2] libp11: Add new package for OpenSSL PKCS#11 engine

[Frank Hunleth]

Hi Trent,

I was about to submit libp11 and then saw your patch, so thanks for submitting.

The commit title should be "libp11: new package".

On Fri, Dec 7, 2018 at 12:28 PM Trent Piepho <tpiepho@impinj.com> wrote:
>
> Library for using PKCS#11, which includes an engine for OpenSSL that
> lets it use PKCS#11 modules.  Which is really what this package is
> about, not that libp11 library itself, which has no users outside the of
> OpenSSL engine.
>
> If p11-kit is enabled, configure the engine to use that as the default
> PKCS#11 module.  That module is a sort of multiplexer that allows
> multiple modules to be used at once, so it makes sense to use it even if
> there are other modules present, e.g. softhsm2, nssckbi, pkcs11-proxy,
> ykcs11, etc.
>
> A host package is created too, with a host configuration option.  Since
> this a dynamically loaded module, there is no build time reason to
> select it from a host package.  It could be used by host openssl, to
> allow host rauc to sign a software update bundle using a key from a HSM
> with a PKCS#11 interface.
>
> Signed-off-by: Trent Piepho <tpiepho@impinj.com>
> ---
>  package/Config.in             |  1 +
>  package/Config.in.host        |  1 +
>  package/libp11/Config.in      |  7 +++++++
>  package/libp11/Config.in.host |  6 ++++++
>  package/libp11/libp11.hash    |  3 +++
>  package/libp11/libp11.mk      | 21 +++++++++++++++++++++
>  6 files changed, 39 insertions(+)
>  create mode 100644 package/libp11/Config.in
>  create mode 100644 package/libp11/Config.in.host
>  create mode 100644 package/libp11/libp11.hash
>  create mode 100644 package/libp11/libp11.mk
>
> diff --git a/package/Config.in b/package/Config.in
> index f6252f2abb..940e7d2d2c 100644
> --- a/package/Config.in
> +++ b/package/Config.in
> @@ -1177,6 +1177,7 @@ menu "Crypto"
>         source "package/libmcrypt/Config.in"
>         source "package/libmhash/Config.in"
>         source "package/libnss/Config.in"
> +       source "package/libp11/Config.in"
>         source "package/libscrypt/Config.in"
>         source "package/libsecret/Config.in"
>         source "package/libsha1/Config.in"
> diff --git a/package/Config.in.host b/package/Config.in.host
> index 06fb2e1996..89b39b0007 100644
> --- a/package/Config.in.host
> +++ b/package/Config.in.host
> @@ -31,6 +31,7 @@ menu "Host utilities"
>         source "package/imx-usb-loader/Config.in.host"
>         source "package/jq/Config.in.host"
>         source "package/jsmin/Config.in.host"
> +       source "package/libp11/Config.in.host"
>         source "package/lpc3250loader/Config.in.host"
>         source "package/lttng-babeltrace/Config.in.host"
>         source "package/mfgtools/Config.in.host"
> diff --git a/package/libp11/Config.in b/package/libp11/Config.in
> new file mode 100644
> index 0000000000..0b9a739db3
> --- /dev/null
> +++ b/package/libp11/Config.in
> @@ -0,0 +1,7 @@
> +config BR2_PACKAGE_LIBP11
> +       bool "libp11"
> +       select BR2_PACKAGE_OPENSSL
> +       help
> +         OpenSSL engine for PKCS#11 modules.  Part of the OpenSC project.
> +
> +         https://github.com/OpenSC/OpenSC/wiki
> diff --git a/package/libp11/Config.in.host b/package/libp11/Config.in.host
> new file mode 100644
> index 0000000000..ccc171025a
> --- /dev/null
> +++ b/package/libp11/Config.in.host
> @@ -0,0 +1,6 @@
> +config BR2_PACKAGE_HOST_LIBP11
> +       bool "host libp11"
> +       help
> +         OpenSSL engine for PKCS#11 modules.  Part of the OpenSC project.
> +
> +         https://github.com/OpenSC/OpenSC/wiki
> diff --git a/package/libp11/libp11.hash b/package/libp11/libp11.hash
> new file mode 100644
> index 0000000000..01cea6466b
> --- /dev/null
> +++ b/package/libp11/libp11.hash
> @@ -0,0 +1,3 @@
> +# Locally computed:
> +sha256 9d1c76d74c21ca224f96204982097ebc6b956f645b2b0b5f9c502a20e9ffcfd8  libp11-0.4.9.tar.gz
> +sha256 d80c9d084ebfb50ea1ed91bfbc2410d6ce542097a32c43b00781b83adcb8c77f  COPYING
> diff --git a/package/libp11/libp11.mk b/package/libp11/libp11.mk
> new file mode 100644
> index 0000000000..9dc098870e
> --- /dev/null
> +++ b/package/libp11/libp11.mk
> @@ -0,0 +1,21 @@
> +################################################################################
> +#
> +# libp11
> +#
> +################################################################################
> +
> +LIBP11_VERSION = 0.4.9
> +LIBP11_SITE = https://github.com/OpenSC/libp11/releases/download/libp11-$(LIBP11_VERSION)

I'm not sure what official BR policy is, but it seems that most
github-hosted packages use the github helper:

LIBP11_VERSION = libp11-0.4.9
LIBP11_SITE = $(call github,OpenSC,libp11,$(LIBP11_VERSION))

and then you'll need

LIBP11_AUTORECONF = YES

> +LIBP11_DEPENDENCIES = openssl
> +LIBP11_INSTALL_STAGING = YES
> +LIBP11_LICENSE = LGPLv2.1

It looks like the license is "LGPL-2.1+"

> +LIBP11_LICENSE_FILES = COPYING
> +
> +ifeq ($(BR2_PACKAGE_P11_KIT),y)
> +LIBP11_CONF_OPTS += --with-pkcs11-module=/usr/lib/p11-kit-proxy.so
> +endif
> +
> +HOST_LIBP11_DEPENDENCIES = host-openssl

I've tested this on device and with OpenSSL 1.1.0 (not OpenSSL 1.0.2
which is currently in BR master). That combination works well. I'm
hopeful that the OpenSSL 1.1.0 patches can be integrated. When that
happens,

Tested-by: Frank Hunleth <fhunleth@troodon-software.com>

> +
> +$(eval $(autotools-package))
> +$(eval $(host-autotools-package))
> --
> 2.14.4
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot

[Buildroot] [PATCH v2] libp11: Add new package for OpenSSL PKCS#11 engine

[Trent Piepho]

On Fri, 2018-12-28 at 23:36 -0600, Frank Hunleth wrote:
> Hi Trent,
> 
> I was about to submit libp11 and then saw your patch, so thanks for submitting.
> 
> The commit title should be "libp11: new package".

I see the imperative form is much less common, 100 vs 1604.  I wanted
to add the engine bit, since the package name, libp11, sounds like a
library for pkcs11.  Which exists, but no one uses that.  It's really
about the openssl engine.

> > 
> I'm not sure what official BR policy is, but it seems that most
> github-hosted packages use the github helper:
> 
> LIBP11_VERSION = libp11-0.4.9
> LIBP11_SITE = $(call github,OpenSC,libp11,$(LIBP11_VERSION))
> 
> and then you'll need
> 
> LIBP11_AUTORECONF = YES

I didn't want to use that, since the github macro didn't produce the
official release tarball.  Hence the need for autoreconf.  I was under
the impression buildroot policy was to prefer an official release
package vs a git repository tag.

> 
> > +LIBP11_DEPENDENCIES = openssl
> > +LIBP11_INSTALL_STAGING = YES
> > +LIBP11_LICENSE = LGPLv2.1
> 
> It looks like the license is "LGPL-2.1+"

Yes, you're right, I failed to update this.  I added this package back
in 2017 and up to buildroot 2017.02 the license string was
"LGLPv2.1(+?)".

> > +LIBP11_LICENSE_FILES = COPYING
> > +
> > +ifeq ($(BR2_PACKAGE_P11_KIT),y)
> > +LIBP11_CONF_OPTS += --with-pkcs11-module=/usr/lib/p11-kit-proxy.so
> > +endif
> > +
> > +HOST_LIBP11_DEPENDENCIES = host-openssl
> 
> I've tested this on device and with OpenSSL 1.1.0 (not OpenSSL 1.0.2
> which is currently in BR master). That combination works well. I'm
> hopeful that the OpenSSL 1.1.0 patches can be integrated. When that
> happens,
> 
> Tested-by: Frank Hunleth <fhunleth@troodon-software.com>
> 
> > 

[Buildroot] [PATCH v2] libp11: Add new package for OpenSSL PKCS#11 engine

[Thomas Petazzoni]

Hello Trent,

On Fri, 7 Dec 2018 18:13:30 +0000
Trent Piepho <tpiepho@impinj.com> wrote:

> Library for using PKCS#11, which includes an engine for OpenSSL that
> lets it use PKCS#11 modules.  Which is really what this package is
> about, not that libp11 library itself, which has no users outside the of
> OpenSSL engine.
> 
> If p11-kit is enabled, configure the engine to use that as the default
> PKCS#11 module.  That module is a sort of multiplexer that allows
> multiple modules to be used at once, so it makes sense to use it even if
> there are other modules present, e.g. softhsm2, nssckbi, pkcs11-proxy,
> ykcs11, etc.
> 
> A host package is created too, with a host configuration option.  Since
> this a dynamically loaded module, there is no build time reason to
> select it from a host package.  It could be used by host openssl, to
> allow host rauc to sign a software update bundle using a key from a HSM
> with a PKCS#11 interface.
> 
> Signed-off-by: Trent Piepho <tpiepho@impinj.com>

Thanks, I've applied after doing a number of changes, mainly to fix
build failures. See below.

> ---
>  package/Config.in             |  1 +
>  package/Config.in.host        |  1 +
>  package/libp11/Config.in      |  7 +++++++
>  package/libp11/Config.in.host |  6 ++++++
>  package/libp11/libp11.hash    |  3 +++
>  package/libp11/libp11.mk      | 21 +++++++++++++++++++++

An entry in the DEVELOPERS file was missing.


> diff --git a/package/libp11/Config.in b/package/libp11/Config.in
> new file mode 100644
> index 0000000000..0b9a739db3
> --- /dev/null
> +++ b/package/libp11/Config.in
> @@ -0,0 +1,7 @@
> +config BR2_PACKAGE_LIBP11
> +	bool "libp11"

This lacked a:

	depends on !BR2_STATIC_LIBS

as libp11 requires dlopen(). This was detected by
using ./utils/test-pkg.

> diff --git a/package/libp11/libp11.mk b/package/libp11/libp11.mk
> new file mode 100644
> index 0000000000..9dc098870e
> --- /dev/null
> +++ b/package/libp11/libp11.mk
> @@ -0,0 +1,21 @@
> +################################################################################
> +#
> +# libp11
> +#
> +################################################################################
> +
> +LIBP11_VERSION = 0.4.9
> +LIBP11_SITE = https://github.com/OpenSC/libp11/releases/download/libp11-$(LIBP11_VERSION)
> +LIBP11_DEPENDENCIES = openssl

It also needs host-pkgconf, because pkg-config is used to detect
OpenSSL.

Then, even with this fixed, the package didn't build because it was
installing its OpenSSL modules in the wrong folder, as pkg-config
--variable enginesdir libcrypto returned a bogus value. I fixed that by
passing --with-enginesdir.

> +LIBP11_INSTALL_STAGING = YES
> +LIBP11_LICENSE = LGPLv2.1

I fixed the license information as well, as pointed out by Frank
Hunleth in a previous review.

Thanks!

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH v2] libp11: Add new package for OpenSSL PKCS#11 engine

[Trent Piepho]

On Thu, 2019-04-04 at 21:45 +0200, Thomas Petazzoni wrote:
> 
> > Library for using PKCS#11, which includes an engine for OpenSSL that
> > lets it use PKCS#11 modules.  Which is really what this package is
> > about, not that libp11 library itself, which has no users outside the of
> > OpenSSL engine.
> > 
> > 
> It also needs host-pkgconf, because pkg-config is used to detect
> OpenSSL.

I had assumed this was implicit in an autotools-package, but I see that
it is not.

> 
> Then, even with this fixed, the package didn't build because it was
> installing its OpenSSL modules in the wrong folder, as pkg-config
> --variable enginesdir libcrypto returned a bogus value. I fixed that by
> passing --with-enginesdir.

This is interesting, as when I made this patch for an older buildroot,
pkgconfig would return the correct value.  It was not prefixed with the
stage.  This is a new behavior.

And it looks like this already hit a bunch of packages with things like
the x11 app-defaults dir.  Since "libdir" is in the whitelist of paths
to prefix, it also hits enginesdir since the latter is based on libdir.

Maybe that pkg-config whitelist should not affect variables that use
libdir and only prefix libdir itself?

[Buildroot] [PATCH v2] libp11: Add new package for OpenSSL PKCS#11 engine

[Thomas Petazzoni]

Hello Trent,

On Thu, 4 Apr 2019 21:10:50 +0000
Trent Piepho <tpiepho@impinj.com> wrote:

> > It also needs host-pkgconf, because pkg-config is used to detect
> > OpenSSL.  
> 
> I had assumed this was implicit in an autotools-package, but I see that
> it is not.

Indeed, host-pkgconf is not in the default dependencies added by
autotools-package, based on the fact that using autotools does not
necessarily implies using host-pkgconf (though admittedly, this is more
and more often the case).

> > Then, even with this fixed, the package didn't build because it was
> > installing its OpenSSL modules in the wrong folder, as pkg-config
> > --variable enginesdir libcrypto returned a bogus value. I fixed that by
> > passing --with-enginesdir.  
> 
> This is interesting, as when I made this patch for an older buildroot,
> pkgconfig would return the correct value.  It was not prefixed with the
> stage.  This is a new behavior.
> 
> And it looks like this already hit a bunch of packages with things like
> the x11 app-defaults dir.  Since "libdir" is in the whitelist of paths
> to prefix, it also hits enginesdir since the latter is based on libdir.
> 
> Maybe that pkg-config whitelist should not affect variables that use
> libdir and only prefix libdir itself?

We have bumped pkg-config not long ago, and indeed its behavior
changed. When you have something like this:

prefix=/usr
libdir=${prefix}/lib
enginesdir=${libdir}/engines

and "libdir" was part of the special list of variables that we want to
prefix with the sysroot, then the old pkg-config would return libdir
prefixed with the sysroot, but not enginesdir.

With the new pkg-config version, the behavior changed, and because
enginesdir is derived from libdir, enginesdir is going to be
sysroot-prefixed.

Overall, the issue is that there is no concept in pkg-config for "the
value of this variable is going to be used at build time" vs "the
value of this variable is going to be used at run time".

Best regards,

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH v2] libp11: Add new package for OpenSSL PKCS#11 engine

[Trent Piepho]

On Fri, 2019-04-05 at 09:49 +0200, Thomas Petazzoni wrote:
> On Thu, 4 Apr 2019 21:10:50 +0000
> Trent Piepho <tpiepho@impinj.com> wrote:
> Then, even with this fixed, the package didn't build because it was
> > > installing its OpenSSL modules in the wrong folder, as pkg-config
> > > --variable enginesdir libcrypto returned a bogus value. I fixed that by
> > > passing --with-enginesdir.  
> > 
> > This is interesting, as when I made this patch for an older buildroot,
> > pkgconfig would return the correct value.  It was not prefixed with the
> > stage.  This is a new behavior.
> > 
> > And it looks like this already hit a bunch of packages with things like
> > the x11 app-defaults dir.  Since "libdir" is in the whitelist of paths
> > to prefix, it also hits enginesdir since the latter is based on libdir.
> > 
> > Maybe that pkg-config whitelist should not affect variables that use
> > libdir and only prefix libdir itself?
> 
> We have bumped pkg-config not long ago, and indeed its behavior
> changed. When you have something like this:
> 
> prefix=/usr
> libdir=${prefix}/lib
> enginesdir=${libdir}/engines

I suppose another fix would be to patch the libcrypto pc file to use
${prefix}/lib/engines.  If there were more consumers of enginesdir,
then perhaps better to fix it once at the source than in each user?

> and "libdir" was part of the special list of variables that we want to
> prefix with the sysroot, then the old pkg-config would return libdir
> prefixed with the sysroot, but not enginesdir.

I assume there are packages which install libraries to the stage in
sub-directories based on libdir, and this new pkg-config behavior is
better for those cases, while worse for cases like enginesdir.

Maybe some kind of run time control of pkg-config would allow it to
work better?  For instance, an environment variable with some kind of
white/black list of variables to prefix.  Default value would prefix
libdir, etc.  But it could be tweaked on by intfras and/or packages. 
Kind of like:

LIBP11_PKGCONFIG_NOT_STAGE_VARS = enginesdir

Maybe the plumbing costs of this aren't worth making a few packages
simpler.

> Overall, the issue is that there is no concept in pkg-config for "the
> value of this variable is going to be used at build time" vs "the
> value of this variable is going to be used at run time".

Shame.  Maybe buildroot should create a new build system, to replace
autotools, cmake, and meson, that knows about all the issues of cross
building?  Yes, huge project.  Need macos and windows support.  But
think of how much easier buildroot would be if you didn't have to fight
autotools and cmake!

[Buildroot] [PATCH v2] libp11: Add new package for OpenSSL PKCS#11 engine

[jonsmirl at gmail.com]

I managed to get libp11 working with this makefile. The previous problems I
encountered were fixed by a full rebuild of my tree. I needed libp11
because we are using the ATECC608A for securely accessing with AWS IOT. It
also works with Google and Azure.
https://github.com/MicrochipTech/cryptoauthlib/wiki/PKCS11-Linux-Setup


################################################################################
#
# libp11
#
################################################################################

LIBP11_VERSION = 4fa36e3a04bfe2d0a7b0b8b6f25866dac2f6cc8b
LIBP11_SITE = $(call github,OpenSC,libp11,$(LIBP11_VERSION))
LIBP11_DEPENDENCIES = openssl
LIBP11_LICENSE = LGPLv2.1
LIBP11_LICENSE_FILES = COPYING
LIBP11_AUTORECONF = YES
LIBP11_INSTALL_STAGING = YES
LIBP11_INSTALL_TARGET = YES

LIBP11_CONF_OPTS += --with-enginesdir=/usr/lib/engines-1.1
ifeq ($(BR2_PACKAGE_P11_KIT),y)
LIBP11_CONF_OPTS += --with-pkcs11-module=/usr/lib/p11-kit-proxy.so
endif

define LIBP11_INSTALL_TARGET_CMDS
$(INSTALL) -D -m 0755 $(@D)/src/.libs/libp11.so $(TARGET_DIR)/usr/lib
$(INSTALL) -d -m 0755 $(TARGET_DIR)/usr/lib/engines-1.1
$(INSTALL) -D -m 0666 $(@D)/src/.libs/pkcs11.so
$(TARGET_DIR)/usr/lib/engines-1.1
endef

$(eval $(autotools-package))

################################################################################
#
# cryptoauthlib
#
################################################################################

CRYPTOAUTHLIB_VERSION = 21f9f26f3dae7194177f8be1b38bf8081616cd61
CRYPTOAUTHLIB_SITE = $(call
github,MicrochipTech,cryptoauthlib,$(CRYPTOAUTHLIB_VERSION))
CRYPTOAUTHLIB_LICENSE = LGPL-2.1
CRYPTOAUTHLIB_DEPENDENCIES = libp11 udev
CRYPTOAUTHLIB_CONF_OPTS += -DATCA_HAL_I2C=ON -DATCA_PRINTF=ON
-DCMAKE_BUILD_TYPE=DEBUG -DATCA_HAL_KIT_HID=OFF
CRYPTOAUTHLIB_INSTALL_TARGET = YES

define CRYPTOAUTHLIB_INSTALL_TARGET_CMDS
$(INSTALL) -D -m 0755 $(@D)/lib/libcryptoauth.so* $(TARGET_DIR)/usr/lib
$(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/cryptoauthlib
$(INSTALL) -D -m 0666 $(@D)/cryptoauthlib.conf
$(TARGET_DIR)/etc/cryptoauthlib
$(INSTALL) -d -m 0755 $(TARGET_DIR)/var/lib/cryptoauthlib
$(INSTALL) -D -m 0666 $(@D)/app/pkcs11/slot.conf.tmpl
$(TARGET_DIR)/var/lib/cryptoauthlib
endef

$(eval $(cmake-package))


On Fri, Apr 5, 2019 at 1:57 PM Trent Piepho <tpiepho@impinj.com> wrote:

> On Fri, 2019-04-05 at 09:49 +0200, Thomas Petazzoni wrote:
> > On Thu, 4 Apr 2019 21:10:50 +0000
> > Trent Piepho <tpiepho@impinj.com> wrote:
> > Then, even with this fixed, the package didn't build because it was
> > > > installing its OpenSSL modules in the wrong folder, as pkg-config
> > > > --variable enginesdir libcrypto returned a bogus value. I fixed that
> by
> > > > passing --with-enginesdir.
> > >
> > > This is interesting, as when I made this patch for an older buildroot,
> > > pkgconfig would return the correct value.  It was not prefixed with the
> > > stage.  This is a new behavior.
> > >
> > > And it looks like this already hit a bunch of packages with things like
> > > the x11 app-defaults dir.  Since "libdir" is in the whitelist of paths
> > > to prefix, it also hits enginesdir since the latter is based on libdir.
> > >
> > > Maybe that pkg-config whitelist should not affect variables that use
> > > libdir and only prefix libdir itself?
> >
> > We have bumped pkg-config not long ago, and indeed its behavior
> > changed. When you have something like this:
> >
> > prefix=/usr
> > libdir=${prefix}/lib
> > enginesdir=${libdir}/engines
>
> I suppose another fix would be to patch the libcrypto pc file to use
> ${prefix}/lib/engines.  If there were more consumers of enginesdir,
> then perhaps better to fix it once at the source than in each user?
>
> > and "libdir" was part of the special list of variables that we want to
> > prefix with the sysroot, then the old pkg-config would return libdir
> > prefixed with the sysroot, but not enginesdir.
>
> I assume there are packages which install libraries to the stage in
> sub-directories based on libdir, and this new pkg-config behavior is
> better for those cases, while worse for cases like enginesdir.
>
> Maybe some kind of run time control of pkg-config would allow it to
> work better?  For instance, an environment variable with some kind of
> white/black list of variables to prefix.  Default value would prefix
> libdir, etc.  But it could be tweaked on by intfras and/or packages.
> Kind of like:
>
> LIBP11_PKGCONFIG_NOT_STAGE_VARS = enginesdir
>
> Maybe the plumbing costs of this aren't worth making a few packages
> simpler.
>
> > Overall, the issue is that there is no concept in pkg-config for "the
> > value of this variable is going to be used at build time" vs "the
> > value of this variable is going to be used at run time".
>
> Shame.  Maybe buildroot should create a new build system, to replace
> autotools, cmake, and meson, that knows about all the issues of cross
> building?  Yes, huge project.  Need macos and windows support.  But
> think of how much easier buildroot would be if you didn't have to fight
> autotools and cmake!
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
>


-- 
Jon Smirl
jonsmirl at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20190405/da160ad8/attachment.html>

[Buildroot] [PATCH v2] libp11: Add new package for OpenSSL PKCS#11 engine

[Thomas Petazzoni]

Hello Jon,

On Fri, 5 Apr 2019 15:29:03 -0400
"jonsmirl at gmail.com" <jonsmirl@gmail.com> wrote:

> I managed to get libp11 working with this makefile. The previous problems I
> encountered were fixed by a full rebuild of my tree. I needed libp11
> because we are using the ATECC608A for securely accessing with AWS IOT. It
> also works with Google and Azure.
> https://github.com/MicrochipTech/cryptoauthlib/wiki/PKCS11-Linux-Setup

There is already a libp11 package in Buildroot, I merged the patch that
was contributed by Trent Piepho a few days ago:

  https://git.buildroot.org/buildroot/commit/package/libp11?id=c4fc706f556c80046bf5cba93b1964c376c71208

> ################################################################################
> #
> # cryptoauthlib
> #

However, we don't have this package in Buildroot. Could you submit a
proper patch adding it, so that we can do a review and hopefully merge
it ?

Thanks,

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH v2] libp11: Add new package for OpenSSL PKCS#11 engine

[jonsmirl at gmail.com]

On Sat, Apr 6, 2019 at 7:57 AM Thomas Petazzoni
<thomas.petazzoni@bootlin.com> wrote:
>
> Hello Jon,
>
> On Fri, 5 Apr 2019 15:29:03 -0400
> "jonsmirl at gmail.com" <jonsmirl@gmail.com> wrote:
>
> > I managed to get libp11 working with this makefile. The previous problems I
> > encountered were fixed by a full rebuild of my tree. I needed libp11
> > because we are using the ATECC608A for securely accessing with AWS IOT. It
> > also works with Google and Azure.
> > https://github.com/MicrochipTech/cryptoauthlib/wiki/PKCS11-Linux-Setup
>
> There is already a libp11 package in Buildroot, I merged the patch that
> was contributed by Trent Piepho a few days ago:

The last release, 0.4.9, of libp11 predates the addition of ECC
(Elliptic-curve cryptography) support to libp11. I'm picking up the
master branch in my build which has ECC support. cryptoauthlib (below)
needs the ECC support.

I just checked libp11, they released 0.4.10 a couple of days ago and
it includes the ECC support.

You also need to edit the source of cryptoauthlib to change the i2c
address. I filed a bug asking them to move this configuration the conf
file.  https://github.com/MicrochipTech/cryptoauthlib/issues/70


>
>   https://git.buildroot.org/buildroot/commit/package/libp11?id=c4fc706f556c80046bf5cba93b1964c376c71208
>
> > ################################################################################
> > #
> > # cryptoauthlib
> > #
>
> However, we don't have this package in Buildroot. Could you submit a
> proper patch adding it, so that we can do a review and hopefully merge
> it ?
>
> Thanks,
>
> Thomas
> --
> Thomas Petazzoni, CTO, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com



-- 
Jon Smirl
jonsmirl at gmail.com

[Buildroot] [PATCH v2] libp11: Add new package for OpenSSL PKCS#11 engine

[Thomas Petazzoni]

Hello Trent,

On Fri, 5 Apr 2019 17:57:02 +0000
Trent Piepho <tpiepho@impinj.com> wrote:

> > prefix=/usr
> > libdir=${prefix}/lib
> > enginesdir=${libdir}/engines  
> 
> I suppose another fix would be to patch the libcrypto pc file to use
> ${prefix}/lib/engines.  If there were more consumers of enginesdir,
> then perhaps better to fix it once at the source than in each user?

Yes, that could be one option. But it's clearly not upstreamable, as
it's a hack that depends on some custom changes we (Buildroot) make to
pkg-config.

> > and "libdir" was part of the special list of variables that we want to
> > prefix with the sysroot, then the old pkg-config would return libdir
> > prefixed with the sysroot, but not enginesdir.  
> 
> I assume there are packages which install libraries to the stage in
> sub-directories based on libdir, and this new pkg-config behavior is
> better for those cases, while worse for cases like enginesdir.

Exactly. In general, "libdir" needs to be prefixed with the sysroot
directory, because libdir is typically used to build -L gcc arguments,
where we need paths to be prefixed by the sysroot.

> Maybe some kind of run time control of pkg-config would allow it to
> work better?  For instance, an environment variable with some kind of
> white/black list of variables to prefix.  Default value would prefix
> libdir, etc.  But it could be tweaked on by intfras and/or packages. 
> Kind of like:
> 
> LIBP11_PKGCONFIG_NOT_STAGE_VARS = enginesdir

Well, this is already what we do in some sense: pkg-config has a list
of variables that it will prefix with the sysroot (see
0001-Only-prefix-with-the-sysroot-a-subset-of-variables.patch). The
problem is that the new implementation of pkg-config does the
resolution of variable values differently than it used to, and if
enginesdir is expressed in terms of libdir, then the fact that libdir
is sysroot-prefixed will affect the final value of enginesdir.

So basically, the problem is not so much expressing *which* variables
need to be sysrooted or not, but rather to make sure that the
pkg-config logic does it properly.

So maybe it's "just" a matter of tweaking the pkg-config logic to
really not sysroot-prefix any path when the initial variable requested
is not in the white-list of variables that must be sysroot-prefixed.

> > Overall, the issue is that there is no concept in pkg-config for "the
> > value of this variable is going to be used at build time" vs "the
> > value of this variable is going to be used at run time".  
> 
> Shame.  Maybe buildroot should create a new build system, to replace
> autotools, cmake, and meson, that knows about all the issues of cross
> building?  Yes, huge project.  Need macos and windows support.  But
> think of how much easier buildroot would be if you didn't have to fight
> autotools and cmake!

Well :-)

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com