Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

libsecret: enable TPM support #375029

Open
wants to merge 1 commit into
base: staging
Choose a base branch
from
Open

libsecret: enable TPM support #375029

wants to merge 1 commit into from
+98 −27

Conversation

illdefined
Copy link
Contributor

@illdefined illdefined commented Jan 19, 2025
edited
Loading

libsecret supports binding the encryption key used for the file backend to a TPM, which offers security benefits over just deriving it from the user’s login password: https://gnome.pages.gitlab.gnome.org/libsecret/libsecret-tpm2.html

This change adds the option withTpm2Tss to enable building with TPM support. I suggest to enable it by default on x86-64 considering the almost universal prevalence of TPMs on x86-64 desktop systems.

The option abrmdSupport is used to enable support for the user‐space TPM resource manager. When enabled, libtss2-tcti-tabrmd.so and libtss2-tcti-device.so are added to the library’s dependencies to enable loading at run‐time.

libsecret requires a TPM resource manager, but works fine with the kernel‐space resource manager (/dev/tpmrm0). When using an emulated TPM (swtpm), a user‐space resource manager (abrmd) has to be used.

Things done

I tested this change on nixpkgs master.

The package tests run successfully and I manually tested secret-tool using the hardware TPM of my computer (NixOS x86-64) and the kernel‐space resource manager.

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 25.05 Release Notes (or backporting 24.11 and 25.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@github-actions github-actions bot added 6.topic: python 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: documentation This PR adds or changes documentation 8.has: changelog 6.topic: golang 6.topic: vim 6.topic: erlang 6.topic: ocaml 6.topic: jupyter Interactive computing tooling: kernels, notebook, jupyterlab 6.topic: julia 6.topic: flutter labels Jan 19, 2025
@illdefined illdefined changed the base branch from master to staging January 19, 2025 11:38
@github-actions github-actions bot removed 6.topic: python 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: documentation This PR adds or changes documentation 8.has: changelog 6.topic: golang 6.topic: vim 6.topic: erlang 6.topic: ocaml 6.topic: jupyter Interactive computing tooling: kernels, notebook, jupyterlab 6.topic: julia 6.topic: flutter labels Jan 19, 2025
@github-actions github-actions bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin and removed 10.rebuild-darwin: 11-100 labels Jan 19, 2025
@illdefined illdefined marked this pull request as ready for review January 19, 2025 13:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lovek323 lovek323 Awaiting requested review from lovek323

@hedning hedning Awaiting requested review from hedning

@jtojnar jtojnar Awaiting requested review from jtojnar

@dasj19 dasj19 Awaiting requested review from dasj19

@bobby285271 bobby285271 Awaiting requested review from bobby285271

@7c6f434c 7c6f434c Awaiting requested review from 7c6f434c

Assignees
No one assigned
Labels
10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1001-2500
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@illdefined