New: chaps: PKCS #11 implementation with TPM backend

pkgs/tools/security/chaps/default.nix

@@ -0,0 +1,81 @@
+{ stdenv, fetchgit, fetchurl, trousers, leveldb, unzip, scons, pkgconfig
+, glib, dbus_cplusplus, dbus, protobuf, openssl, snappy, pam }:
+
+let
+  src_chromebase = fetchgit {
+    url = "https://chromium.googlesource.com/chromium/src/base.git";
+    rev = "2dfe404711e15e24e79799516400c61b2719d7af";
+    sha256 = "2bd93a3ace4b6767db2c1bd1e16f426c97b8d2133a9cb15f8372b2516cfa65c5";
+  };
+
+  src_gmock = fetchurl {
+    url = "https://googlemock.googlecode.com/files/gmock-1.7.0.zip";
+    sha256 = "0nq98cpnv2jsx2byp4ilam6kydcnziflkc16ikydajmp4mcvpz16";
+  };
+
+  src_platform2 = fetchgit {
+    url = "https://chromium.googlesource.com/chromiumos/platform2";
+    rev = "e999e989eaa71c3db7314fc7b4e20829b2b5473b";
+    sha256 = "bb43ef7918ec6219711cbba3ce91236413738f1341261a1845256b3d6cc9f843";
+  };
+
+in
+
+stdenv.mkDerivation rec {
+  name = "chaps-0.42-6812";
+  version = "0.42-6812";
+
+  src = fetchgit {
+    url = "https://github.com/google/chaps-linux";
+    rev = "989aadc45cdb216ca35b0c97d13fc691576fa1d7";
+    sha256 = "c58e08e89d36050cd831116819d555f0e24e7bf11047cb18f2a2eead45ba67be";
+  };
+
+  patches = [ ./fix_absolute_path.patch  ./fix_environment_variables.patch  ./fix_scons.patch  ./insert_prefetches.patch ];
+
+  postPatch = ''
+    substituteInPlace makefile --replace @@NIXOS_SRC_CHROMEBASE@@ ${src_chromebase}
+    substituteInPlace makefile --replace @@NIXOS_SRC_GMOCK@@ ${src_gmock}
+    substituteInPlace makefile --replace @@NIXOS_SRC_PLATFORM2@@ ${src_platform2}
+    substituteInPlace makefile --replace @@NIXOS_LEVELDB@@ ${leveldb}
+    '';
+
+  nativeBuildInputs = [ unzip scons pkgconfig ];
+
+  buildInputs = [ trousers glib dbus_cplusplus dbus protobuf openssl snappy leveldb pam ];
+
+  buildPhase = ''
+    make build
+    '';
+
+  installPhase = ''
+    mkdir -p $out/bin
+    cp ${name}/out/chapsd $out/bin/.
+    cp ${name}/out/chaps_client $out/bin/.
+
+    mkdir -p $out/lib
+    cp ${name}/out/libchaps.so.* $out/lib/.
+    mkdir -p $out/lib/security
+    cp ${name}/out/pam_chaps.so $out/lib/security/.
+
+    mkdir -p $out/include
+    cp -r ${name}/out/chaps $out/include/.
+
+    mkdir -p $out/etc/dbus-1/system.d
+    cp ${name}/out/org.chromium.Chaps.conf $out/etc/dbus-1/system.d/.
+    mkdir -p $out/etc/dbus-1/system-services
+    cp ${name}/platform2/chaps/org.chromium.Chaps.service $out/etc/dbus-1/system-services/.
+
+    mkdir -p $out/usr/share/pam-configs/chaps
+    mkdir -p $out/usr/share/man/man8
+    cp ${name}/man/* $out/usr/share/man/man8/.
+    '';
+
+  meta = with stdenv.lib; {
+    description = "PKCS #11 implementation based on trusted platform module (TPM)";
+    homepage = "https://www.chromium.org/developers/design-documents/chaps-technical-design";
+    maintainers = [ maintainers.tstrobel ];
+    platforms = platforms.linux;
+    license = licenses.bsd3;
+  };
+}

pkgs/tools/security/chaps/fix_absolute_path.patch

@@ -0,0 +1,18 @@
+diff --git a/patches/platform2/fix_echo.patch b/patches/platform2/fix_echo.patch
+new file mode 100644
+index 0000000..d2272f6
+--- /dev/null
++++ b/patches/platform2/fix_echo.patch
+@@ -0,0 +1,12 @@
++diff -uNr platform2/common-mk/common.mk platform2-new/common-mk/common.mk
++--- platform2/common-mk/common.mk	2015-07-03 12:07:47.482745292 +0200
+++++ platform2-new/common-mk/common.mk	2015-07-03 12:08:16.868600569 +0200
++@@ -263,7 +263,7 @@
++ $(eval $(call override_var,STRIP,strip))
++ 
++ RMDIR ?= rmdir
++-ECHO = /bin/echo -e
+++ECHO = echo -e
++ 
++ ifeq ($(lastword $(subst /, ,$(CC))),clang)
++ CDRIVER = clang

pkgs/tools/security/chaps/fix_environment_variables.patch

@@ -0,0 +1,42 @@
+diff --git a/extrasrc/Makefile b/extrasrc/Makefile
+index fb95845..77125c0 100644
+--- a/extrasrc/Makefile
++++ b/extrasrc/Makefile
+@@ -10,11 +10,11 @@ OUTDIR=$(SRCDIR)/out
+ GMOCK_DIR=$(SRCDIR)/gmock-$(GMOCK_VER)
+ GTEST_DIR=$(GMOCK_DIR)/gtest
+
+-INCLUDES="-I$(SRCDIR)/include -I$(SRCDIR)/platform2/libchromeos -isystem $(GTEST_DIR)/include -I$(GMOCK_DIR)/include -I$(SRCDIR)/leveldb/include"
++INCLUDES="-I$(SRCDIR)/include -I$(SRCDIR)/platform2/libchromeos -isystem $(GTEST_DIR)/include -I$(GMOCK_DIR)/include -I$(SRCDIR)/leveldb/include $(NIX_LDFLAG) $(NIX_CFLAGS_COMPILE)"
+
+ # To build Chaps, defer to platform2/chaps/Makefile
+ all: libchrome-$(BASE_VER).a libchromeos-$(BASE_VER).a | out
+-	cd platform2/chaps && BASE_VER=$(BASE_VER) LINUX_BUILD=1 PKG_CONFIG_PATH=$(SRCDIR) CXXFLAGS=$(INCLUDES) OUT=$(OUTDIR) CHAPS_VERSION_MAJOR=$(CHAPS_VERSION_MAJOR) CHAPS_VERSION_MINOR=$(CHAPS_VERSION_MINOR) $(MAKE)
++	cd platform2/chaps && BASE_VER=$(BASE_VER) LINUX_BUILD=1 PKG_CONFIG_PATH=$(SRCDIR):$(PKG_CONFIG_PATH) CXXFLAGS=$(INCLUDES) OUT=$(OUTDIR) CHAPS_VERSION_MAJOR=$(CHAPS_VERSION_MAJOR) CHAPS_VERSION_MINOR=$(CHAPS_VERSION_MINOR) $(MAKE)
+
+ # To build required Chromium components, defer to scons file.
+ libchrome-$(BASE_VER).a:
+@@ -38,7 +38,7 @@ out/libgmock.a: out/gmock-all.o
+ 	ar -rv $@ $<
+
+ test: out/libgtest.a out/libgmock.a libchrome-$(BASE_VER).a libchromeos-$(BASE_VER).a | out
+-	cd platform2/chaps && BASE_VER=$(BASE_VER) LINUX_BUILD=1 PKG_CONFIG_PATH=$(SRCDIR) CXXFLAGS=$(INCLUDES) LDLIBS="-L$(OUTDIR)" OUT=$(OUTDIR) $(MAKE) tests
++	cd platform2/chaps && BASE_VER=$(BASE_VER) LINUX_BUILD=1 PKG_CONFIG_PATH=$(SRCDIR):$(PKG_CONFIG_PATH) CXXFLAGS=$(INCLUDES) LDLIBS="-L$(OUTDIR)" OUT=$(OUTDIR) $(MAKE) tests
+
+ clean: clean_chaps clean_chromeos clean_chromebase clean_gmock clean_debian
+ clean_gmock:
+@@ -49,7 +49,7 @@ clean_chromebase:
+ clean_chromeos:
+ 	-BASE_VER=$(BASE_VER) scons -f Sconstruct.libchromeos -c
+ clean_chaps:
+-	-cd platform2/chaps && BASE_VER=$(BASE_VER) LINUX_BUILD=1 PKG_CONFIG_PATH=$(SRCDIR) $(MAKE) clean
++	-cd platform2/chaps && BASE_VER=$(BASE_VER) LINUX_BUILD=1 PKG_CONFIG_PATH=$(SRCDIR):$(PKG_CONFIG_PATH) $(MAKE) clean
+ 	rm -rf out
+ clean_debian:
+ 	dh_clean
+@@ -64,4 +64,4 @@ install_man:
+ 	$(INSTALL) -m 0644 -D man/chapsd.8 $(MANDIR)/man8/chapsd.8
+ 	$(INSTALL) -m 0644 -D man/chaps_client.8 $(MANDIR)/man8/chaps_client.8
+ install: install_man
+-	cd platform2/chaps && BASE_VER=$(BASE_VER) LINUX_BUILD=1 PKG_CONFIG_PATH=$(SRCDIR) CXXFLAGS=$(INCLUDES) OUT=$(OUTDIR) CHAPS_VERSION_MAJOR=$(CHAPS_VERSION_MAJOR) CHAPS_VERSION_MINOR=$(CHAPS_VERSION_MINOR) $(MAKE) install_files
++	cd platform2/chaps && BASE_VER=$(BASE_VER) LINUX_BUILD=1 PKG_CONFIG_PATH=$(SRCDIR):$(PKG_CONFIG_PATH) CXXFLAGS=$(INCLUDES) OUT=$(OUTDIR) CHAPS_VERSION_MAJOR=$(CHAPS_VERSION_MAJOR) CHAPS_VERSION_MINOR=$(CHAPS_VERSION_MINOR) $(MAKE) install_files

pkgs/tools/security/chaps/fix_scons.patch

@@ -0,0 +1,26 @@
+diff --git a/extrasrc/Sconstruct.libchrome b/extrasrc/Sconstruct.libchrome
+index 4feb76d..311fe8a 100644
+--- a/extrasrc/Sconstruct.libchrome
++++ b/extrasrc/Sconstruct.libchrome
+@@ -103,7 +103,7 @@ base_lib = {
+     'pc_libs' : 'glib-2.0',
+ }
+
+-env = Environment()
++env = Environment(ENV = os.environ)
+
+ BASE_VER = os.environ.get('BASE_VER', '0')
+ GTEST_DIR = os.environ.get('GTEST_DIR', '0')
+diff --git a/extrasrc/Sconstruct.libchromeos b/extrasrc/Sconstruct.libchromeos
+index 1da6001..66f9acb 100644
+--- a/extrasrc/Sconstruct.libchromeos
++++ b/extrasrc/Sconstruct.libchromeos
+@@ -18,7 +18,7 @@ base_lib = {
+     'pc_libs' : 'dbus-c++-1',
+ }
+
+-env = Environment()
++env = Environment(ENV = os.environ)
+
+ PKG_CONFIG = os.environ.get('PKG_CONFIG', 'pkg-config')
+ BASE_VER = os.environ.get('BASE_VER', '0')

pkgs/tools/security/chaps/insert_prefetches.patch

@@ -0,0 +1,51 @@
+diff --git a/makefile b/makefile
+index b6865f3..c14f5ec 100644
+--- a/makefile
++++ b/makefile
+@@ -53,8 +53,8 @@ $(SRCDIR)/include/trousers/scoped_tss_type.h: extrasrc/scoped_tss_type.h | $(SRC
+ 	cp $< $@
+ # Chromium includes <leveldb/memenv.h>.  This requires an install of libleveldb-dev that has
+ # memenv support included; move this into a local leveldb/ subdirectory
+-$(SRCDIR)/include/leveldb/memenv.h: /usr/include/leveldb/helpers/memenv.h | $(SRCDIR)/include/leveldb
+-	cp $< $@
++$(SRCDIR)/include/leveldb/memenv.h: $(SRCDIR)/include/leveldb
++	cp @@NIXOS_LEVELDB@@/include/leveldb/helpers/memenv.h $@
+ # Chromium includes <include/testing/gtest/include/gtest/gtest_prod.h>, so have a local copy.
+ $(SRCDIR)/include/testing/gtest/include/gtest/gtest_prod.h: extrasrc/gtest_prod.h | $(SRCDIR)/include/testing/gtest/include/gtest
+ 	cp $< $@
+@@ -80,7 +80,7 @@ GMOCK_DIR=$(SRCDIR)/gmock-$(GMOCK_VERSION)
+ GTEST_DIR=$(GMOCK_DIR)/gtest
+ src_gmock: $(GMOCK_DIR)/LICENSE
+ $(GMOCK_DIR)/LICENSE: | $(SRCDIR)
+-	cd $(SRCDIR) && wget $(GMOCK_URL)
++	cd $(SRCDIR) && cp @@NIXOS_SRC_GMOCK@@ gmock-$(GMOCK_VERSION).zip && chmod +w gmock-$(GMOCK_VERSION).zip
+ 	cd $(SRCDIR) && unzip -q gmock-$(GMOCK_VERSION).zip
+ 	rm $(SRCDIR)/gmock-$(GMOCK_VERSION).zip
+ 	touch $@
+@@ -107,8 +107,7 @@ src_chromebase: $(SRCDIR)/base/base64.h
+ $(SRCDIR)/base: | $(SRCDIR)
+ 	mkdir -p $@
+ $(SRCDIR)/base/base64.h: | $(SRCDIR)/base
+-	git clone $(CHROMEBASE_GIT) $(SRCDIR)/base
+-	cd $(SRCDIR)/base && git checkout $(CHROMEBASE_COMMIT)
++	cp -r @@NIXOS_SRC_CHROMEBASE@@/. $(SRCDIR)/base && chmod -R +w $(SRCDIR)/base
+
+ # We need two subdirectories from the platform2 repository from ChromiumOS:
+ #   - chaps/ for the Chaps source code
+@@ -119,14 +118,8 @@ $(SRCDIR)/platform2:
+ PLATFORM2_GIT=https://chromium.googlesource.com/chromiumos/platform2
+ PATCHES=$(wildcard $(CURDIR)/patches/platform2/*.patch)
+ $(SRCDIR)/platform2/chaps/Makefile: | $(SRCDIR)/platform2
+-	cd $(SRCDIR)/platform2 && git init . && git remote add -f origin $(PLATFORM2_GIT)
+-	cd $(SRCDIR)/platform2 && git config core.sparsecheckout true
+-	cd $(SRCDIR)/platform2 && echo "chaps" > .git/info/sparse-checkout
+-	cd $(SRCDIR)/platform2 && echo "libchromeos/chromeos" >> .git/info/sparse-checkout
+-	cd $(SRCDIR)/platform2 && echo "common-mk/common.mk" >> .git/info/sparse-checkout
+-	cd $(SRCDIR)/platform2 && git pull origin master
+-	cd $(SRCDIR)/platform2 && git checkout $(CROS_BRANCH)
+-	cd $(SRCDIR)/platform2 && if [ ! -z "$(PATCHES)" ]; then git am $(PATCHES); fi
++	cd $(SRCDIR)/platform2 && cp -r @@NIXOS_SRC_PLATFORM2@@/. . && chmod -R +w $(SRCDIR)/platform2
++	cd $(SRCDIR)/platform2 && if [ ! -z "$(PATCHES)" ]; then patch -p1 < $(PATCHES); fi
+
+
+ # Copy man pages

pkgs/top-level/all-packages.nix

@@ -3105,6 +3105,8 @@ let
 
   tpm-tools = callPackage ../tools/security/tpm-tools { };
 
+  chaps = callPackage ../tools/security/chaps { };
+
   trace-cmd = callPackage ../os-specific/linux/trace-cmd { };
 
   traceroute = callPackage ../tools/networking/traceroute { };