Squashed 'import-layers/meta-security/' content from commit 4d139b9
Subtree from git://git.yoctoproject.org/meta-security
Change-Id: I14bb13faa3f2b2dc1f5d81b339dd48ffedf8562f
git-subtree-dir: import-layers/meta-security
git-subtree-split: 4d139b95c4f152d132592f515c5151f4dd6269c1
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
diff --git a/import-layers/meta-security/meta-tpm/README b/import-layers/meta-security/meta-tpm/README
new file mode 100644
index 0000000..bbc70bb
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/README
@@ -0,0 +1,4 @@
+meta-tpm layer
+==============
+
+This layer contains base TPM recipes.
diff --git a/import-layers/meta-security/meta-tpm/conf/layer.conf b/import-layers/meta-security/meta-tpm/conf/layer.conf
new file mode 100644
index 0000000..a2f0cab
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/conf/layer.conf
@@ -0,0 +1,15 @@
+# We have a conf and classes directory, add to BBPATH
+BBPATH .= ":${LAYERDIR}"
+
+# We have a recipes directory, add to BBFILES
+BBFILES += "${LAYERDIR}/recipes*/*/*.bb ${LAYERDIR}/recipes*/*/*.bbappend"
+
+BBFILE_COLLECTIONS += "tpm-layer"
+BBFILE_PATTERN_tpm-layer = "^${LAYERDIR}/"
+BBFILE_PRIORITY_tpm-layer = "6"
+
+LAYERSERIES_COMPAT_tpm-layer = "sumo"
+
+LAYERDEPENDS_tpm-layer = " \
+ core \
+"
diff --git a/import-layers/meta-security/meta-tpm/recipes-core/images/security-tpm-image.bb b/import-layers/meta-security/meta-tpm/recipes-core/images/security-tpm-image.bb
new file mode 100644
index 0000000..a337076
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-core/images/security-tpm-image.bb
@@ -0,0 +1,19 @@
+DESCRIPTION = "A small image for building meta-security packages"
+
+IMAGE_FEATURES += "ssh-server-openssh"
+
+IMAGE_INSTALL = "\
+ packagegroup-base \
+ packagegroup-core-boot \
+ ${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'packagegroup-security-tpm', '', d)} \
+ ${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'packagegroup-security-tpm2', '', d)} \
+ os-release \
+ ${CORE_IMAGE_EXTRA_INSTALL}"
+
+IMAGE_LINGUAS ?= " "
+
+LICENSE = "MIT"
+
+inherit core-image
+
+export IMAGE_BASENAME = "security-tpm-image"
diff --git a/import-layers/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm-i2c.bb b/import-layers/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm-i2c.bb
new file mode 100644
index 0000000..3b9d271
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm-i2c.bb
@@ -0,0 +1,19 @@
+DESCRIPTION = "Security packagegroup for TPM i2c support"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \
+ file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+inherit packagegroup
+
+PACKAGES = "packagegroup-security-tpm-i2c"
+
+SUMMARY_packagegroup-security-tpm-i2c = "Security TPM i2c support"
+RDEPENDS_packagegroup-security-tpm-i2c = " \
+ ${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'packagegroup-security-tpm', '', d)} \
+ ${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'packagegroup-security-tpm2', '', d)} \
+ kernel-module-tpm-i2c-atmel \
+ kernel-module-tpm-i2c-infineon \
+ kernel-module-tpm-i2c-nuvoton \
+ kernel-module-tpm-st33zp24 \
+ kernel-module-tpm-st33zp24-i2c \
+ "
diff --git a/import-layers/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm.bb b/import-layers/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm.bb
new file mode 100644
index 0000000..25126ef
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm.bb
@@ -0,0 +1,29 @@
+DESCRIPTION = "Security packagegroup for Poky"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \
+ file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+inherit packagegroup
+
+PACKAGES = "packagegroup-security-tpm"
+
+SUMMARY_packagegroup-security-tpm = "Security TPM support"
+RDEPENDS_packagegroup-security-tpm = " \
+ tpm-tools \
+ trousers \
+ ${X86_TPM_MODULES} \
+ "
+
+X86_TPM_MODULES ?= ""
+
+X86_TPM_MODULES_x86 = " \
+ kernel-module-tpm-atmel \
+ kernel-module-tpm-infineon \
+ kernel-module-tpm-nsc \
+ "
+
+X86_TPM_MODULES_x86-64 = " \
+ kernel-module-tpm-atmel \
+ kernel-module-tpm-infineon \
+ kernel-module-tpm-nsc \
+ "
diff --git a/import-layers/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb b/import-layers/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb
new file mode 100644
index 0000000..13b505f
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb
@@ -0,0 +1,18 @@
+DESCRIPTION = "Security packagegroup for Poky"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \
+ file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+inherit packagegroup
+
+PACKAGES = "packagegroup-security-tpm2"
+
+SUMMARY_packagegroup-security-tpm2 = "Security TPM 2.0 support"
+RDEPENDS_packagegroup-security-tpm2 = " \
+ tpm2.0-tools \
+ trousers \
+ libtss2 \
+ libtctidevice \
+ libtctisocket \
+ resourcemgr \
+ "
diff --git a/import-layers/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-vtpm.bb b/import-layers/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-vtpm.bb
new file mode 100644
index 0000000..2e9394f
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-vtpm.bb
@@ -0,0 +1,14 @@
+DESCRIPTION = "Security packagegroup for Poky"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \
+ file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+inherit packagegroup
+
+PACKAGES = "packagegroup-security-vtpm"
+
+SUMMARY_packagegroup-security-vtpm = "Security Software vTPM support"
+RDEPENDS_packagegroup-security-vtpm = " \
+ libtpm \
+ swtpm \
+ "
diff --git a/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/tpm.cfg b/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/tpm.cfg
new file mode 100644
index 0000000..8782823
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/tpm.cfg
@@ -0,0 +1,8 @@
+CONFIG_HW_RANDOM_TPM=y
+CONFIG_TCG_TPM=y
+CONFIG_TCG_TIS_CORE=y
+CONFIG_TCG_TIS=y
+CONFIG_SECURITYFS=y
+CONFIG_TCG_NSC=m
+CONFIG_TCG_ATMEL=m
+CONFIG_TCG_INFINEON=m
diff --git a/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/tpm.scc b/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/tpm.scc
new file mode 100644
index 0000000..2949ed4
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/tpm.scc
@@ -0,0 +1,3 @@
+define KFEATURE_DESCRIPTION "Enable TPM"
+
+kconf hardware tpm.cfg
diff --git a/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/tpm2.cfg b/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/tpm2.cfg
new file mode 100644
index 0000000..a81b54d
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/tpm2.cfg
@@ -0,0 +1,6 @@
+CONFIG_HW_RANDOM_TPM=y
+CONFIG_TCG_TPM=y
+CONFIG_TCG_TIS_CORE=y
+CONFIG_TCG_TIS=y
+CONFIG_TCG_CRB=y
+CONFIG_SECURITYFS=y
diff --git a/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/tpm2.scc b/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/tpm2.scc
new file mode 100644
index 0000000..088148f
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/tpm2.scc
@@ -0,0 +1,3 @@
+define KFEATURE_DESCRIPTION "Enable TPM 2.0"
+
+kconf hardware tpm2.cfg
diff --git a/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/tpm_i2c.cfg b/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/tpm_i2c.cfg
new file mode 100644
index 0000000..59993f9
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/tpm_i2c.cfg
@@ -0,0 +1,15 @@
+CONFIG_HW_RANDOM_TPM=y
+CONFIG_TCG_TPM=y
+CONFIG_TCG_TIS_CORE=y
+CONFIG_TCG_TIS=y
+CONFIG_SECURITYFS=y
+
+CONFIG_REGMAP_I2C=y
+CONFIG_I2C_BOARDINFO=y
+CONFIG_I2C_COMPAT=y
+CONFIG_RTC_I2C_AND_SPI=y
+
+CONFIG_TCG_TIS_I2C_ATMEL=m
+CONFIG_TCG_TIS_I2C_INFINEON=m
+CONFIG_TCG_TIS_I2C_NUVOTON=m
+CONFIG_TCG_TIS_ST33ZP24_I2C=m
diff --git a/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/tpm_i2c.scc b/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/tpm_i2c.scc
new file mode 100644
index 0000000..0e4eedb
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/tpm_i2c.scc
@@ -0,0 +1,6 @@
+define KFEATURE_DESCRIPTION "Enable TPM i2c"
+
+include features/i2c/i2c.scc
+
+kconf hardware tpm_i2c.cfg
+
diff --git a/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/tpm_x86.cfg b/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/tpm_x86.cfg
new file mode 100644
index 0000000..8be331a
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/tpm_x86.cfg
@@ -0,0 +1,4 @@
+CONFIG_TCG_NSC=m
+CONFIG_TCG_ATMEL=m
+CONFIG_TCG_INFINEON=m
+CONFIG_TCG_TIS_ST33ZP24=m
diff --git a/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/vtpm.cfg b/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/vtpm.cfg
new file mode 100644
index 0000000..a8b3758
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/vtpm.cfg
@@ -0,0 +1,5 @@
+CONFIG_HW_RANDOM_TPM=y
+CONFIG_TCG_TPM=y
+CONFIG_TCG_VTPM_PROXY=y
+CONFIG_SECURITYFS=y
+~
diff --git a/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/vtpm.scc b/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/vtpm.scc
new file mode 100644
index 0000000..e842da6
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/vtpm.scc
@@ -0,0 +1,4 @@
+define KFEATURE_DESCRIPTION "Enable vTPM"
+
+kconf hardware vtpm.cfg
+
diff --git a/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto_4.%.bbappend b/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto_4.%.bbappend
new file mode 100644
index 0000000..cea8b1b
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto_4.%.bbappend
@@ -0,0 +1,17 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/linux-yocto:"
+
+# Enable tpm in kernel
+SRC_URI_append_x86 = " \
+ ${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'file://tpm.scc', '', d)} \
+ ${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'file://tpm2.scc', '', d)} \
+ "
+
+SRC_URI_append_x86-64 = " \
+ ${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'file://tpm.scc', '', d)} \
+ ${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'file://tpm2.scc', '', d)} \
+ "
+
+SRC_URI += " \
+ ${@bb.utils.contains('MACHINE_FEATURES', 'tpm_i2c', 'file://tpm_i2c.scc', '', d)} \
+ ${@bb.utils.contains('MACHINE_FEATURES', 'vtpm', 'file://vtpm.scc', '', d)} \
+ "
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/libtpm/files/Convert-another-vdprintf-to-dprintf.patch b/import-layers/meta-security/meta-tpm/recipes-tpm/libtpm/files/Convert-another-vdprintf-to-dprintf.patch
new file mode 100644
index 0000000..9e1021a
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/libtpm/files/Convert-another-vdprintf-to-dprintf.patch
@@ -0,0 +1,26 @@
+From 09e7dd42e5201d079bad70e9f7cc6033ce1c7cad Mon Sep 17 00:00:00 2001
+From: Stefan Berger <stefanb@linux.vnet.ibm.com>
+Date: Fri, 3 Feb 2017 10:58:22 -0500
+Subject: [PATCH] Convert another vdprintf to dprintf
+
+Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
+Upstream-Status: Backport
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ src/tpm_library.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: git/src/tpm_library.c
+===================================================================
+--- git.orig/src/tpm_library.c
++++ git/src/tpm_library.c
+@@ -427,7 +427,7 @@ void TPMLIB_LogPrintfA(unsigned int inde
+ indent = sizeof(spaces) - 1;
+ memset(spaces, ' ', indent);
+ spaces[indent] = 0;
+- vdprintf(debug_fd, spaces, NULL);
++ dprintf(debug_fd, "%s", spaces);
+ }
+
+ va_start(args, format);
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/libtpm/files/Use-format-s-for-call-to-dprintf.patch b/import-layers/meta-security/meta-tpm/recipes-tpm/libtpm/files/Use-format-s-for-call-to-dprintf.patch
new file mode 100644
index 0000000..a71b5c1
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/libtpm/files/Use-format-s-for-call-to-dprintf.patch
@@ -0,0 +1,33 @@
+From 6a9b4e5d70f770aa9ca31e3e6d3b1ae72c192070 Mon Sep 17 00:00:00 2001
+From: Stefan Berger <stefanb@linux.vnet.ibm.com>
+Date: Tue, 31 Jan 2017 20:10:51 -0500
+Subject: [PATCH] Use format '%s' for call to dprintf
+
+Fix the dprintf call to use a format parameter that otherwise causes
+errors with gcc on certain platforms.
+
+Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
+
+Upstream-Status: Backport
+replaces local patch
+Signed-off-by: Armin Kuster <akuster@mvsita.com>
+
+---
+ src/tpm_library.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+Index: git/src/tpm_library.c
+===================================================================
+--- git.orig/src/tpm_library.c
++++ git/src/tpm_library.c
+@@ -405,8 +405,8 @@ int TPMLIB_LogPrintf(const char *format,
+ }
+
+ if (debug_prefix)
+- dprintf(debug_fd, debug_prefix);
+- dprintf(debug_fd, buffer);
++ dprintf(debug_fd, "%s", debug_prefix);
++ dprintf(debug_fd, "%s", buffer);
+
+ return i;
+ }
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/libtpm/files/fix_signed_issue.patch b/import-layers/meta-security/meta-tpm/recipes-tpm/libtpm/files/fix_signed_issue.patch
new file mode 100644
index 0000000..fc13aa5
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/libtpm/files/fix_signed_issue.patch
@@ -0,0 +1,48 @@
+Upstream-Status: Pending
+Signed-off-by: Armin kuster <akuster808@gmail.com>
+
+Index: git/src/swtpm/ctrlchannel.c
+===================================================================
+--- git.orig/src/swtpm/ctrlchannel.c
++++ git/src/swtpm/ctrlchannel.c
+@@ -152,7 +152,8 @@ static int ctrlchannel_receive_state(ptm
+ uint32_t tpm_number = 0;
+ unsigned char *blob = NULL;
+ uint32_t blob_length = be32toh(pss->u.req.length);
+- uint32_t remain = blob_length, offset = 0;
++ ssize_t remain = (ssize_t) blob_length;
++ uint32_t offset = 0;
+ TPM_RESULT res;
+ uint32_t flags = be32toh(pss->u.req.state_flags);
+ TPM_BOOL is_encrypted = (flags & PTM_STATE_FLAG_ENCRYPTED) != 0;
+Index: git/src/swtpm_ioctl/tpm_ioctl.c
+===================================================================
+--- git.orig/src/swtpm_ioctl/tpm_ioctl.c
++++ git/src/swtpm_ioctl/tpm_ioctl.c
+@@ -303,7 +303,7 @@ static int do_save_state_blob(int fd, bo
+ numbytes = write(file_fd, pgs.u.resp.data,
+ devtoh32(is_chardev, pgs.u.resp.length));
+
+- if (numbytes != devtoh32(is_chardev, pgs.u.resp.length)) {
++ if (numbytes != (ssize_t) devtoh32(is_chardev, pgs.u.resp.length)) {
+ fprintf(stderr,
+ "Could not write to file '%s': %s\n",
+ filename, strerror(errno));
+@@ -420,7 +420,7 @@ static int do_load_state_blob(int fd, bo
+ had_error = true;
+ break;
+ }
+- pss.u.req.length = htodev32(is_chardev, numbytes);
++ pss.u.req.length = htodev32(is_chardev, (uint32_t) numbytes);
+
+ /* the returnsize is zero on all intermediate packets */
+ returnsize = ((size_t)numbytes < sizeof(pss.u.req.data))
+@@ -863,7 +863,7 @@ int main(int argc, char *argv[])
+ return EXIT_FAILURE;
+ }
+ /* no tpm_result here */
+- printf("ptm capability is 0x%lx\n", (uint64_t)devtoh64(is_chardev, cap));
++ printf("ptm capability is 0x%llx\n", (uint64_t)devtoh64(is_chardev, cap));
+
+ } else if (!strcmp(command, "-i")) {
+ init.u.req.init_flags = htodev32(is_chardev, PTM_INIT_FLAG_DELETE_VOLATILE);
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_1.0.bb b/import-layers/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_1.0.bb
new file mode 100644
index 0000000..b29ec6b
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_1.0.bb
@@ -0,0 +1,18 @@
+SUMMARY = "LIBPM - Software TPM Library"
+LICENSE = "BSD-3-Clause"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=97e5eea8d700d76b3ddfd35c4c96485f"
+
+SRCREV = "3388d45082bdc588c6fc0672f44d6d7d0aaa86ff"
+SRC_URI = " \
+ git://github.com/stefanberger/libtpms.git \
+ "
+
+S = "${WORKDIR}/git"
+inherit autotools-brokensep pkgconfig
+
+PACKAGECONFIG ?= "openssl"
+PACKAGECONFIG[openssl] = "--with-openssl, --without-openssl, openssl"
+
+PV = "1.0+git${SRCPV}"
+
+BBCLASSEXTEND = "native"
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch b/import-layers/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch
new file mode 100644
index 0000000..67071b6
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch
@@ -0,0 +1,99 @@
+commit 16dac0cb7b73b8a7088300e45b98ac20819b03ed
+Author: Junxian.Xiao <Junxian.Xiao@windriver.com>
+Date: Wed Jun 19 18:57:13 2013 +0800
+
+support well-known password in openssl-tpm-engine.
+
+Add "-z" option to select well known password in create_tpm_key tool.
+
+Signed-off-by: Junxian.Xiao <Junxian.Xiao@windriver.com>
+
+diff --git a/create_tpm_key.c b/create_tpm_key.c
+index fee917f..7b94d62 100644
+--- a/create_tpm_key.c
++++ b/create_tpm_key.c
+@@ -46,6 +46,8 @@
+ #include <trousers/tss.h>
+ #include <trousers/trousers.h>
+
++#define TPM_WELL_KNOWN_KEY_LEN 20 /*well know key length is 20 bytes zero*/
++
+ #define print_error(a,b) \
+ fprintf(stderr, "%s:%d %s result: 0x%x (%s)\n", __FILE__, __LINE__, \
+ a, b, Trspi_Error_String(b))
+@@ -70,6 +72,7 @@ usage(char *argv0)
+ "\t\t-e|--enc-scheme encryption scheme to use [PKCSV15] or OAEP\n"
+ "\t\t-q|--sig-scheme signature scheme to use [DER] or SHA1\n"
+ "\t\t-s|--key-size key size in bits [2048]\n"
++ "\t\t-z|--zerokey use well known 20 bytes zero as SRK password.\n"
+ "\t\t-a|--auth require a password for the key [NO]\n"
+ "\t\t-p|--popup use TSS GUI popup dialogs to get the password "
+ "for the\n\t\t\t\t key [NO] (implies --auth)\n"
+@@ -147,6 +150,7 @@ int main(int argc, char **argv)
+ int asn1_len;
+ char *filename, c, *openssl_key = NULL;
+ int option_index, auth = 0, popup = 0, wrap = 0;
++ int wellknownkey = 0;
+ UINT32 enc_scheme = TSS_ES_RSAESPKCSV15;
+ UINT32 sig_scheme = TSS_SS_RSASSAPKCS1V15_DER;
+ UINT32 key_size = 2048;
+@@ -154,12 +158,15 @@ int main(int argc, char **argv)
+
+ while (1) {
+ option_index = 0;
+- c = getopt_long(argc, argv, "pe:q:s:ahw:",
++ c = getopt_long(argc, argv, "pe:q:s:zahw:",
+ long_options, &option_index);
+ if (c == -1)
+ break;
+
+ switch (c) {
++ case 'z':
++ wellknownkey = 1;
++ break;
+ case 'a':
+ initFlags |= TSS_KEY_AUTHORIZATION;
+ auth = 1;
+@@ -293,6 +300,8 @@ int main(int argc, char **argv)
+
+ if (srk_authusage) {
+ char *authdata = calloc(1, 128);
++ TSS_FLAG secretMode = TSS_SECRET_MODE_PLAIN;
++ int authlen = 0;
+
+ if (!authdata) {
+ fprintf(stderr, "malloc failed.\n");
+@@ -309,17 +318,26 @@ int main(int argc, char **argv)
+ exit(result);
+ }
+
+- if (EVP_read_pw_string(authdata, 128, "SRK Password: ", 0)) {
+- Tspi_Context_CloseObject(hContext, hKey);
+- Tspi_Context_Close(hContext);
+- free(authdata);
+- exit(result);
++ if (wellknownkey) {
++ memset(authdata, 0, TPM_WELL_KNOWN_KEY_LEN);
++ secretMode = TSS_SECRET_MODE_SHA1;
++ authlen = TPM_WELL_KNOWN_KEY_LEN;
++ }
++ else {
++ if (EVP_read_pw_string(authdata, 128, "SRK Password: ", 0)) {
++ Tspi_Context_CloseObject(hContext, hKey);
++ Tspi_Context_Close(hContext);
++ free(authdata);
++ exit(result);
++ }
++ secretMode = TSS_SECRET_MODE_PLAIN;
++ authlen = strlen(authdata);
+ }
+
+ //Set Secret
+ if ((result = Tspi_Policy_SetSecret(srkUsagePolicy,
+- TSS_SECRET_MODE_PLAIN,
+- strlen(authdata),
++ secretMode,
++ authlen,
+ (BYTE *)authdata))) {
+ print_error("Tspi_Policy_SetSecret", result);
+ free(authdata);
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch b/import-layers/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch
new file mode 100644
index 0000000..f718f2e
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch
@@ -0,0 +1,80 @@
+commit 16dac0cb7b73b8a7088300e45b98ac20819b03ed
+Author: Junxian.Xiao <Junxian.Xiao@windriver.com>
+Date: Wed Jun 19 18:57:13 2013 +0800
+
+support reading SRK password from env TPM_SRK_PW
+
+Add "env TPM_SRK_PW=xxxx" to set password for libtpm.so. Specially,
+use "env TPM_SRK_PW=#WELLKNOWN#" to set well known password.
+
+Signed-off-by: Junxian.Xiao <Junxian.Xiao@windriver.com>
+
+diff --git a/e_tpm.c b/e_tpm.c
+index f3e8bcf..7dcb75a 100644
+--- a/e_tpm.c
++++ b/e_tpm.c
+@@ -38,6 +38,8 @@
+
+ #include "e_tpm.h"
+
++#define TPM_WELL_KNOWN_KEY_LEN 20 /*well know key length is 20 bytes zero*/
++
+ //#define DLOPEN_TSPI
+
+ #ifndef OPENSSL_NO_HW
+@@ -248,6 +250,10 @@ int tpm_load_srk(UI_METHOD *ui, void *cb_data)
+ TSS_RESULT result;
+ UINT32 authusage;
+ BYTE *auth;
++ char *srkPasswd = NULL;
++ TSS_FLAG secretMode = secret_mode;
++ int authlen = 0;
++
+
+ if (hSRK != NULL_HKEY) {
+ DBGFN("SRK is already loaded.");
+@@ -299,18 +305,36 @@ int tpm_load_srk(UI_METHOD *ui, void *cb_data)
+ return 0;
+ }
+
+- if (!tpm_engine_get_auth(ui, (char *)auth, 128, "SRK authorization: ",
+- cb_data)) {
+- Tspi_Context_CloseObject(hContext, hSRK);
+- free(auth);
+- TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
+- return 0;
++ srkPasswd = getenv("TPM_SRK_PW");
++ if (NULL != srkPasswd) {
++ if (0 == strcmp(srkPasswd, "#WELLKNOWN#")) {
++ memset(auth, 0, TPM_WELL_KNOWN_KEY_LEN);
++ secretMode = TSS_SECRET_MODE_SHA1;
++ authlen = TPM_WELL_KNOWN_KEY_LEN;
++ } else {
++ int authbuflen = 128;
++ memset(auth, 0, authbuflen);
++ strncpy(auth, srkPasswd, authbuflen-1);
++ secretMode = TSS_SECRET_MODE_PLAIN;
++ authlen = strlen(auth);
++ }
++ }
++ else {
++ if (!tpm_engine_get_auth(ui, (char *)auth, 128,
++ "SRK authorization: ", cb_data)) {
++ Tspi_Context_CloseObject(hContext, hSRK);
++ free(auth);
++ TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
++ return 0;
++ }
++ secretMode = secret_mode;
++ authlen = strlen(auth);
+ }
+
+ /* secret_mode is a global that may be set by engine ctrl
+ * commands. By default, its set to TSS_SECRET_MODE_PLAIN */
+- if ((result = Tspi_Policy_SetSecret(hSRKPolicy, secret_mode,
+- strlen((char *)auth), auth))) {
++ if ((result = Tspi_Policy_SetSecret(hSRKPolicy, secretMode,
++ authlen, auth))) {
+ Tspi_Context_CloseObject(hContext, hSRK);
+ free(auth);
+ TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-Fix-not-building-libtpm.la.patch b/import-layers/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-Fix-not-building-libtpm.la.patch
new file mode 100644
index 0000000..d24a150
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-Fix-not-building-libtpm.la.patch
@@ -0,0 +1,25 @@
+From 7848445a1f4c750ef73bf96f5e89d402f87a1756 Mon Sep 17 00:00:00 2001
+From: Lans Zhang <jia.zhang@windriver.com>
+Date: Mon, 19 Jun 2017 14:54:28 +0800
+Subject: [PATCH] Fix not building libtpm.la
+
+Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
+---
+ Makefile.am | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index 6695656..634a7e6 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -10,4 +10,6 @@ libtpm_la_LIBADD=-lcrypto -lc -ltspi
+ libtpm_la_SOURCES=e_tpm.c e_tpm.h e_tpm_err.c
+
+ create_tpm_key_SOURCES=create_tpm_key.c
+-create_tpm_key_LDADD=-ltspi
++create_tpm_key_LDFLAGS=-ltspi
++
++LDADD=libtpm.la
+--
+2.7.5
+
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch b/import-layers/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch
new file mode 100644
index 0000000..a88148f
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch
@@ -0,0 +1,254 @@
+From eb28ad92a2722fd30f8114840cf2b1ade26b80ee Mon Sep 17 00:00:00 2001
+From: Limeng <Meng.Li@windriver.com>
+Date: Fri, 23 Jun 2017 11:39:04 +0800
+Subject: [PATCH] tpm:openssl-tpm-engine:parse an encrypted tpm SRK password
+ from env
+
+Before, we support reading SRK password from env TPM_SRK_PW,
+but it is a plain password and not secure.
+So, we improve it and support to get an encrypted (AES algorithm)
+SRK password from env, and then parse it. The default decrypting
+AES password and salt is set in bb file.
+When we initialize TPM, and set a SRK pw, and then we need to
+encrypt it with the same AES password and salt by AES algorithm.
+At last, we set a env as below:
+export TPM_SRK_ENC_PW=xxxxxxxx
+"xxxxxxxx" is the encrypted SRK password for libtpm.so.
+
+Signed-off-by: Meng Li <Meng.Li@windriver.com>
+---
+ e_tpm.c | 157 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
+ e_tpm.h | 4 ++
+ e_tpm_err.c | 4 ++
+ 3 files changed, 164 insertions(+), 1 deletion(-)
+
+diff --git a/e_tpm.c b/e_tpm.c
+index 7dcb75a..11bf74b 100644
+--- a/e_tpm.c
++++ b/e_tpm.c
+@@ -245,6 +245,118 @@ void ENGINE_load_tpm(void)
+ ERR_clear_error();
+ }
+
++static int tpm_decode_base64(unsigned char *indata,
++ int in_len,
++ unsigned char *outdata,
++ int *out_len)
++{
++ int total_len, len, ret;
++ EVP_ENCODE_CTX dctx;
++
++ EVP_DecodeInit(&dctx);
++
++ total_len = 0;
++ ret = EVP_DecodeUpdate(&dctx, outdata, &len, indata, in_len);
++ if (ret < 0) {
++ TSSerr(TPM_F_TPM_DECODE_BASE64, TPM_R_DECODE_BASE64_FAILED);
++ return 1;
++ }
++
++ total_len += len;
++ ret = EVP_DecodeFinal(&dctx, outdata, &len);
++ if (ret < 0) {
++ TSSerr(TPM_F_TPM_DECODE_BASE64, TPM_R_DECODE_BASE64_FAILED);
++ return 1;
++ }
++ total_len += len;
++
++ *out_len = total_len;
++
++ return 0;
++}
++
++static int tpm_decrypt_srk_pw(unsigned char *indata, int in_len,
++ unsigned char *outdata,
++ int *out_len)
++{
++ int dec_data_len, dec_data_lenfinal;
++ unsigned char dec_data[256];
++ unsigned char *aes_pw;
++ unsigned char aes_salt[PKCS5_SALT_LEN];
++ unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];
++ const EVP_CIPHER *cipher = NULL;
++ const EVP_MD *dgst = NULL;
++ EVP_CIPHER_CTX *ctx = NULL;
++
++ if (sizeof(SRK_DEC_SALT) - 1 > PKCS5_SALT_LEN) {
++ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
++ return 1;
++ }
++
++ aes_pw = malloc(sizeof(SRK_DEC_PW) - 1);
++ if (aes_pw == NULL) {
++ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
++ return 1;
++ }
++
++ memset(aes_salt, 0x00, sizeof(aes_salt));
++ memcpy(aes_pw, SRK_DEC_PW, sizeof(SRK_DEC_PW) - 1);
++ memcpy(aes_salt, SRK_DEC_SALT, sizeof(SRK_DEC_SALT) - 1);
++
++ cipher = EVP_get_cipherbyname("aes-128-cbc");
++ if (cipher == NULL) {
++ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
++ free(aes_pw);
++ return 1;
++ }
++ dgst = EVP_sha256();
++
++ EVP_BytesToKey(cipher, dgst, aes_salt, (unsigned char *)aes_pw, sizeof(SRK_DEC_PW) - 1, 1, key, iv);
++
++ ctx = EVP_CIPHER_CTX_new();
++ /* Don't set key or IV right away; we want to check lengths */
++ if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, 0)) {
++ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
++ free(aes_pw);
++ return 1;
++ }
++
++ OPENSSL_assert(EVP_CIPHER_CTX_key_length(ctx) == 16);
++ OPENSSL_assert(EVP_CIPHER_CTX_iv_length(ctx) == 16);
++
++ if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, 0)) {
++ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
++ free(aes_pw);
++ return 1;
++ }
++
++ if (!EVP_CipherUpdate(ctx, dec_data, &dec_data_len, indata, in_len)) {
++ /* Error */
++ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
++ free(aes_pw);
++ EVP_CIPHER_CTX_free(ctx);
++ return 1;
++ }
++
++ if (!EVP_CipherFinal_ex(ctx, dec_data + dec_data_len, &dec_data_lenfinal)) {
++ /* Error */
++ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
++ free(aes_pw);
++ EVP_CIPHER_CTX_free(ctx);
++ return 1;
++ }
++
++ dec_data_len = dec_data_len + dec_data_lenfinal;
++
++ memcpy(outdata, dec_data, dec_data_len);
++ *out_len = dec_data_len;
++
++ free(aes_pw);
++ EVP_CIPHER_CTX_free(ctx);
++
++ return 0;
++}
++
+ int tpm_load_srk(UI_METHOD *ui, void *cb_data)
+ {
+ TSS_RESULT result;
+@@ -305,8 +417,50 @@ int tpm_load_srk(UI_METHOD *ui, void *cb_data)
+ return 0;
+ }
+
+- srkPasswd = getenv("TPM_SRK_PW");
++ srkPasswd = getenv("TPM_SRK_ENC_PW");
+ if (NULL != srkPasswd) {
++ int in_len = strlen(srkPasswd);
++ int out_len;
++ unsigned char *out_buf;
++
++ if (!in_len || in_len % 4) {
++ Tspi_Context_CloseObject(hContext, hSRK);
++ free(auth);
++ TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
++ return 0;
++ }
++
++ out_len = in_len * 3 / 4;
++ out_buf = malloc(out_len);
++ if (NULL == out_buf) {
++ Tspi_Context_CloseObject(hContext, hSRK);
++ free(auth);
++ TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
++ return 0;
++ }
++
++ if (tpm_decode_base64(srkPasswd, strlen(srkPasswd),
++ out_buf, &out_len)) {
++ Tspi_Context_CloseObject(hContext, hSRK);
++ free(auth);
++ free(out_buf);
++ TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
++ return 0;
++ }
++
++ if (tpm_decrypt_srk_pw(out_buf, out_len,
++ auth, &authlen)) {
++ Tspi_Context_CloseObject(hContext, hSRK);
++ free(auth);
++ free(out_buf);
++ TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
++ return 0;
++ }
++ secretMode = TSS_SECRET_MODE_PLAIN;
++ free(out_buf);
++ }
++#ifdef TPM_SRK_PLAIN_PW
++ else if (NULL != (srkPasswd = getenv("TPM_SRK_PW")) {
+ if (0 == strcmp(srkPasswd, "#WELLKNOWN#")) {
+ memset(auth, 0, TPM_WELL_KNOWN_KEY_LEN);
+ secretMode = TSS_SECRET_MODE_SHA1;
+@@ -319,6 +473,7 @@ int tpm_load_srk(UI_METHOD *ui, void *cb_data)
+ authlen = strlen(auth);
+ }
+ }
++#endif
+ else {
+ if (!tpm_engine_get_auth(ui, (char *)auth, 128,
+ "SRK authorization: ", cb_data)) {
+diff --git a/e_tpm.h b/e_tpm.h
+index 6316e0b..56ff202 100644
+--- a/e_tpm.h
++++ b/e_tpm.h
+@@ -66,6 +66,8 @@ void ERR_TSS_error(int function, int reason, char *file, int line);
+ #define TPM_F_TPM_FILL_RSA_OBJECT 116
+ #define TPM_F_TPM_ENGINE_GET_AUTH 117
+ #define TPM_F_TPM_CREATE_SRK_POLICY 118
++#define TPM_F_TPM_DECODE_BASE64 119
++#define TPM_F_TPM_DECRYPT_SRK_PW 120
+
+ /* Reason codes. */
+ #define TPM_R_ALREADY_LOADED 100
+@@ -96,6 +98,8 @@ void ERR_TSS_error(int function, int reason, char *file, int line);
+ #define TPM_R_ID_INVALID 125
+ #define TPM_R_UI_METHOD_FAILED 126
+ #define TPM_R_UNKNOWN_SECRET_MODE 127
++#define TPM_R_DECODE_BASE64_FAILED 128
++#define TPM_R_DECRYPT_SRK_PW_FAILED 129
+
+ /* structure pointed to by the RSA object's app_data pointer */
+ struct rsa_app_data
+diff --git a/e_tpm_err.c b/e_tpm_err.c
+index 25a5d0f..439e267 100644
+--- a/e_tpm_err.c
++++ b/e_tpm_err.c
+@@ -235,6 +235,8 @@ static ERR_STRING_DATA TPM_str_functs[] = {
+ {ERR_PACK(0, TPM_F_TPM_BIND_FN, 0), "TPM_BIND_FN"},
+ {ERR_PACK(0, TPM_F_TPM_FILL_RSA_OBJECT, 0), "TPM_FILL_RSA_OBJECT"},
+ {ERR_PACK(0, TPM_F_TPM_ENGINE_GET_AUTH, 0), "TPM_ENGINE_GET_AUTH"},
++ {ERR_PACK(0, TPM_F_TPM_DECODE_BASE64, 0), "TPM_DECODE_BASE64"},
++ {ERR_PACK(0, TPM_F_TPM_DECRYPT_SRK_PW, 0), "TPM_DECRYPT_SRK_PW"},
+ {0, NULL}
+ };
+
+@@ -265,6 +267,8 @@ static ERR_STRING_DATA TPM_str_reasons[] = {
+ {TPM_R_FILE_READ_FAILED, "failed reading the key file"},
+ {TPM_R_ID_INVALID, "engine id doesn't match"},
+ {TPM_R_UI_METHOD_FAILED, "ui function failed"},
++ {TPM_R_DECODE_BASE64_FAILED, "decode base64 failed"},
++ {TPM_R_DECRYPT_SRK_PW_FAILED, "decrypt srk password failed"},
+ {0, NULL}
+ };
+
+--
+2.9.3
+
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch b/import-layers/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch
new file mode 100644
index 0000000..076704d
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch
@@ -0,0 +1,34 @@
+From fb44e2814fd819c086f9a4c925427f89c0e8cec6 Mon Sep 17 00:00:00 2001
+From: Limeng <Meng.Li@windriver.com>
+Date: Fri, 21 Jul 2017 16:32:02 +0800
+Subject: [PATCH] tpm:openssl-tpm-engine: change variable c type from char
+ into int
+
+refer to getopt_long() function definition, its return value type is
+int. So, change variable c type from char into int.
+On arm platform, when getopt_long() calling fails, if we define c as
+char type, its value will be 255, not -1. This will cause code enter
+wrong case.
+
+Signed-off-by: Meng Li <Meng.Li@windriver.com>
+---
+ create_tpm_key.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/create_tpm_key.c b/create_tpm_key.c
+index 7b94d62..f30af90 100644
+--- a/create_tpm_key.c
++++ b/create_tpm_key.c
+@@ -148,7 +148,8 @@ int main(int argc, char **argv)
+ ASN1_OCTET_STRING *blob_str;
+ unsigned char *blob_asn1 = NULL;
+ int asn1_len;
+- char *filename, c, *openssl_key = NULL;
++ char *filename, *openssl_key = NULL;
++ int c;
+ int option_index, auth = 0, popup = 0, wrap = 0;
+ int wellknownkey = 0;
+ UINT32 enc_scheme = TSS_ES_RSAESPKCSV15;
+--
+1.7.9.5
+
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.4.2.bb b/import-layers/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.4.2.bb
new file mode 100644
index 0000000..4854f70
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.4.2.bb
@@ -0,0 +1,78 @@
+DESCRIPTION = "OpenSSL secure engine based on TPM hardware"
+HOMEPAGE = "https://sourceforge.net/projects/trousers/"
+SECTION = "security/tpm"
+
+LICENSE = "openssl"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=11f0ee3af475c85b907426e285c9bb52"
+
+DEPENDS += "openssl trousers"
+
+SRC_URI = "\
+ git://git.code.sf.net/p/trousers/openssl_tpm_engine \
+ file://0001-create-tpm-key-support-well-known-key-option.patch \
+ file://0002-libtpm-support-env-TPM_SRK_PW.patch \
+ file://0003-Fix-not-building-libtpm.la.patch \
+ file://0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch \
+ file://0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch \
+"
+SRCREV = "bbc2b1af809f20686e0d3553a62f0175742c0d60"
+
+S = "${WORKDIR}/git"
+
+inherit autotools-brokensep
+
+# The definitions below are used to decrypt the srk password.
+# It is allowed to define the values in 3 forms: string, hex number and
+# the hybrid, e.g,
+# srk_dec_pw = "incendia"
+# srk_dec_pw = "\x69\x6e\x63\x65\x6e\x64\x69\x61"
+# srk_dec_pw = "\x1""nc""\x3""nd""\x1""a"
+#
+# Due to the limit of escape character, the hybrid must be written in
+# above style. The actual values defined below in C code style are:
+# srk_dec_pw[] = { 0x01, 'n', 'c', 0x03, 'n', 'd', 0x01, 'a' };
+# srk_dec_salt[] = { 'r', 0x00, 0x00, 't' };
+srk_dec_pw ?= "\\"\\\x1\\"\\"nc\\"\\"\\\x3\\"\\"nd\\"\\"\\\x1\\"\\"a\\""
+srk_dec_salt ?= "\\"r\\"\\"\\\x00\\\x00\\"\\"t\\""
+
+CFLAGS_append += "-DSRK_DEC_PW=${srk_dec_pw} -DSRK_DEC_SALT=${srk_dec_salt}"
+
+# Uncomment below line if using the plain srk password for development
+#CFLAGS_append += "-DTPM_SRK_PLAIN_PW"
+
+do_configure_prepend() {
+ cd "${S}"
+ cp LICENSE COPYING
+ touch NEWS AUTHORS ChangeLog
+}
+
+do_install_append() {
+ install -m 0755 -d "${D}${libdir}/engines"
+ install -m 0755 -d "${D}${prefix}/local/ssl/lib/engines"
+ install -m 0755 -d "${D}${libdir}/ssl/engines"
+
+ cp -f "${D}${libdir}/openssl/engines/libtpm.so.0.0.0" "${D}${libdir}/libtpm.so.0"
+ cp -f "${D}${libdir}/openssl/engines/libtpm.so.0.0.0" "${D}${libdir}/engines/libtpm.so"
+ cp -f "${D}${libdir}/openssl/engines/libtpm.so.0.0.0" "${D}${prefix}/local/ssl/lib/engines/libtpm.so"
+ mv -f "${D}${libdir}/openssl/engines/libtpm.so.0.0.0" "${D}${libdir}/ssl/engines/libtpm.so"
+ mv -f "${D}${libdir}/openssl/engines/libtpm.la" "${D}${libdir}/ssl/engines/libtpm.la"
+ rm -rf "${D}${libdir}/openssl"
+}
+
+FILES_${PN}-staticdev += "${libdir}/ssl/engines/libtpm.la"
+FILES_${PN}-dbg += "\
+ ${libdir}/ssl/engines/.debug \
+ ${libdir}/engines/.debug \
+ ${prefix}/local/ssl/lib/engines/.debug \
+"
+FILES_${PN} += "\
+ ${libdir}/ssl/engines/libtpm.so* \
+ ${libdir}/engines/libtpm.so* \
+ ${libdir}/libtpm.so* \
+ ${prefix}/local/ssl/lib/engines/libtpm.so* \
+"
+
+RDEPENDS_${PN} += "libcrypto libtspi"
+
+INSANE_SKIP_${PN} = "libdir"
+INSANE_SKIP_${PN}-dbg = "libdir"
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb b/import-layers/meta-security/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb
new file mode 100644
index 0000000..0cc4f63
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb
@@ -0,0 +1,25 @@
+SUMMARY = "Command line utility to extend hash of arbitrary data into a TPMs PCR."
+HOMEPAGE = "https://github.com/flihp/pcr-extend"
+SECTION = "security/tpm"
+LICENSE = "GPLv2"
+LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
+
+DEPENDS = "libtspi"
+
+PV = "0.1+git${SRCPV}"
+SRCREV = "c02ad8f628b3d99f6d4c087b402fe31a40ee6316"
+
+SRC_URI = "git://github.com/flihp/pcr-extend.git "
+
+inherit autotools
+
+S = "${WORKDIR}/git"
+
+do_compile() {
+ oe_runmake -C ${S}/src
+}
+
+do_install() {
+ install -d ${D}${bindir}
+ oe_runmake -C ${S}/src DESTDIR="${D}" install
+}
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/swtpm/files/fix_fcntl_h.patch b/import-layers/meta-security/meta-tpm/recipes-tpm/swtpm/files/fix_fcntl_h.patch
new file mode 100644
index 0000000..3d16431
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/swtpm/files/fix_fcntl_h.patch
@@ -0,0 +1,31 @@
+From 8750a6c3f0b4d9e7e45b4079150d29eb44774e9c Mon Sep 17 00:00:00 2001
+From: Armin Kuster <akuster@mvista.com>
+Date: Tue, 14 Mar 2017 22:59:36 -0700
+Subject: [PATCH 2/4] logging: Fix musl build issue with fcntl
+
+ error: #warning redirecting incorrect #include <sys/fcntl.h> to <fcntl.h> [-Werror=cpp]
+ #warning redirecting incorrect #include <sys/fcntl.h> to <fcntl.
+
+Upstream-Status: Pending
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ src/swtpm/logging.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/swtpm/logging.c b/src/swtpm/logging.c
+index f16cab6..7da8606 100644
+--- a/src/swtpm/logging.c
++++ b/src/swtpm/logging.c
+@@ -45,7 +45,7 @@
+ #include <errno.h>
+ #include <string.h>
+ #include <sys/types.h>
+-#include <sys/fcntl.h>
++#include <fcntl.h>
+ #include <sys/stat.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+--
+2.11.0
+
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/swtpm/files/fix_lib_search_path.patch b/import-layers/meta-security/meta-tpm/recipes-tpm/swtpm/files/fix_lib_search_path.patch
new file mode 100644
index 0000000..60958f7
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/swtpm/files/fix_lib_search_path.patch
@@ -0,0 +1,66 @@
+From 672bb4ee625da3141ba6cecb0601c7563de4c483 Mon Sep 17 00:00:00 2001
+From: Armin Kuster <akuster808@gmail.com>
+Date: Thu, 13 Oct 2016 02:03:56 -0700
+Subject: [PATCH 1/4] swtpm: add new package
+
+Upstream-Status: Inappropriate [OE config]
+
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+Rebased to current tip.
+
+Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
+
+---
+ configure.ac | 34 ++++++++++------------------------
+ 1 file changed, 10 insertions(+), 24 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index abf5be1..85ed6ac 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -395,31 +395,17 @@ CFLAGS="$CFLAGS -Wformat -Wformat-security"
+ dnl We have to make sure libtpms is using the same crypto library
+ dnl to avoid problems
+ AC_MSG_CHECKING([the crypto library libtpms is using])
+-dirs=$($CC $CFLAGS -Xlinker --verbose 2>/dev/null | \
+- sed -n '/SEARCH_DIR/p' | \
+- sed 's/SEARCH_DIR("\(@<:@^"@:>@*\)"); */\1 /g' | \
+- sed 's|=/|/|g')
+-for dir in $dirs $LIBRARY_PATH; do
+- if test -r $dir/libtpms.so; then
+- if test -n "`ldd $dir/libtpms.so | grep libcrypto.so`"; then
+- libtpms_cryptolib="openssl"
+- break
+- fi
+- if test -n "`ldd $dir/libtpms.so | grep libnss3.so`"; then
+- libtpms_cryptolib="freebl"
+- break
+- fi
++dir="$SEARCH_DIR"
++if test -r $dir/libtpms.so; then
++ if test -n "`ldd $dir/libtpms.so | grep libcrypto.so`"; then
++ libtpms_cryptolib="openssl"
++ break
+ fi
+- case $host_os in
+- cygwin|openbsd*)
+- if test -r $dir/libtpms.a; then
+- if test -n "$(nm $dir/libtpms.a | grep "U AES_encrypt")"; then
+- libtpms_cryptolib="openssl"
+- fi
+- fi
+- ;;
+- esac
+-done
++ if test -n "`ldd $dir/libtpms.so | grep libnss3.so`"; then
++ libtpms_cryptolib="freebl"
++ break
++ fi
++fi
+
+ if test -z "$libtpms_cryptolib"; then
+ AC_MSG_ERROR([Could not determine libtpms crypto library.])
+--
+2.11.0
+
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/swtpm/files/ioctl_h.patch b/import-layers/meta-security/meta-tpm/recipes-tpm/swtpm/files/ioctl_h.patch
new file mode 100644
index 0000000..d736bc6
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/swtpm/files/ioctl_h.patch
@@ -0,0 +1,22 @@
+tpm_ioctl: fix musl for missing ioctl
+
+tpm_ioctl.c: In function 'ioctl_to_cmd':
+tpm_ioctl.c:86:26: error: '_IOC_NRSHIFT' undeclared (first use in this function)
+ return ((ioctlnum >> _IOC_NRSHIFT) & _IOC_NRMASK) + 1;
+
+
+Upstream-status:
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+Index: git/src/swtpm_ioctl/tpm_ioctl.c
+===================================================================
+--- git.orig/src/swtpm_ioctl/tpm_ioctl.c
++++ git/src/swtpm_ioctl/tpm_ioctl.c
+@@ -58,6 +58,7 @@
+ #include <fcntl.h>
+ #include <unistd.h>
+ #include <sys/ioctl.h>
++#include <asm/ioctl.h>
+ #include <getopt.h>
+ #include <sys/un.h>
+ #include <sys/types.h>
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm-wrappers-native.bb b/import-layers/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm-wrappers-native.bb
new file mode 100644
index 0000000..644f3ac
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm-wrappers-native.bb
@@ -0,0 +1,53 @@
+SUMMARY = "SWTPM - OpenEmbedded wrapper scripts for native swtpm tools"
+LICENSE = "MIT"
+DEPENDS = "swtpm-native tpm-tools-native net-tools-native"
+
+inherit native
+
+# The whole point of the recipe is to make files available
+# for use after the build is done, so don't clean up...
+RM_WORK_EXCLUDE += "${PN}"
+
+do_create_wrapper () {
+ # Wrap (almost) all swtpm binaries. Some get special wrappers and some
+ # are not needed.
+ for i in `find ${bindir} ${base_bindir} ${sbindir} ${base_sbindir} -name 'swtpm*' -perm /+x -type f`; do
+ exe=`basename $i`
+ case $exe in
+ swtpm_setup.sh)
+ cat >${WORKDIR}/swtpm_setup_oe.sh <<EOF
+#! /bin/sh
+#
+# Wrapper around swtpm_setup.sh which adds parameters required to
+# run the setup as non-root directly from the native sysroot.
+
+PATH="${bindir}:${base_bindir}:${sbindir}:${base_sbindir}:\$PATH"
+export PATH
+
+# tcsd only allows to be run as root or tss. Pretend to be root...
+exec env ${FAKEROOTENV} ${FAKEROOTCMD} swtpm_setup.sh --config ${STAGING_DIR_NATIVE}/etc/swtpm_setup.conf "\$@"
+EOF
+ ;;
+ swtpm_setup)
+ true
+ ;;
+ *)
+ cat >${WORKDIR}/${exe}_oe.sh <<EOF
+#! /bin/sh
+#
+# Wrapper around $exe which makes it easier to invoke
+# the right binary.
+
+PATH="${bindir}:${base_bindir}:${sbindir}:${base_sbindir}:\$PATH"
+export PATH
+
+exec ${exe} "\$@"
+EOF
+ ;;
+ esac
+ done
+
+ chmod a+rx ${WORKDIR}/*.sh
+}
+
+addtask do_create_wrapper before do_build after do_prepare_recipe_sysroot
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_1.0.bb b/import-layers/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_1.0.bb
new file mode 100644
index 0000000..7476020
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_1.0.bb
@@ -0,0 +1,61 @@
+SUMMARY = "SWTPM - Software TPM Emulator"
+LICENSE = "BSD-3-Clause"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=fe8092c832b71ef20dfe4c6d3decb3a8"
+SECTION = "apps"
+
+DEPENDS = "libtasn1 expect socat glib-2.0 libtpm libtpm-native"
+
+# configure checks for the tools already during compilation and
+# then swtpm_setup needs them at runtime
+DEPENDS += "tpm-tools-native expect-native socat-native"
+RDEPENDS_${PN} += "tpm-tools"
+
+SRCREV = "4f4f2f0a7e3195f6df8d235d58630a08e69403d8"
+SRC_URI = "git://github.com/stefanberger/swtpm.git \
+ file://fix_lib_search_path.patch \
+ file://fix_fcntl_h.patch \
+ file://ioctl_h.patch \
+ "
+
+S = "${WORKDIR}/git"
+
+inherit autotools-brokensep pkgconfig
+PARALLEL_MAKE = ""
+
+TSS_USER="tss"
+TSS_GROUP="tss"
+
+PACKAGECONFIG ?= "openssl cuse"
+PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}"
+PACKAGECONFIG[openssl] = "--with-openssl, --without-openssl, openssl"
+PACKAGECONFIG[gnutls] = "--with-gnutls, --without-gnutls, gnutls"
+PACKAGECONFIG[selinux] = "--with-selinux, --without-selinux, libselinux"
+PACKAGECONFIG[cuse] = "--with-cuse, --without-cuse, fuse"
+
+EXTRA_OECONF += "--with-tss-user=${TSS_USER} --with-tss-group=${TSS_GROUP}"
+
+export SEARCH_DIR = "${STAGING_LIBDIR_NATIVE}"
+
+# dup bootstrap
+do_configure_prepend () {
+ libtoolize --force --copy
+ autoheader
+ aclocal
+ automake --add-missing -c
+ autoconf
+}
+
+USERADD_PACKAGES = "${PN}"
+GROUPADD_PARAM_${PN} = "--system ${TSS_USER}"
+USERADD_PARAM_${PN} = "--system -g ${TSS_GROUP} --home-dir \
+ --no-create-home --shell /bin/false ${BPN}"
+
+RDEPENDS_${PN} = "libtpm expect socat bash"
+
+BBCLASSEXTEND = "native nativesdk"
+
+python() {
+ if 'cuse' in d.getVar('PACKAGECONFIG') and \
+ 'filesystems-layer' not in d.getVar('BBFILE_COLLECTIONS').split():
+ raise bb.parse.SkipRecipe('Cuse enabled which requires meta-filesystems to be present.')
+}
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/tpm-quote-tools/tpm-quote-tools_1.0.4.bb b/import-layers/meta-security/meta-tpm/recipes-tpm/tpm-quote-tools/tpm-quote-tools_1.0.4.bb
new file mode 100644
index 0000000..8486d00
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/tpm-quote-tools/tpm-quote-tools_1.0.4.bb
@@ -0,0 +1,23 @@
+SUMMARY = "The TPM Quote Tools is a collection of programs that provide support \
+ for TPM based attestation using the TPM quote mechanism. \
+ "
+DESCRIPTION = "The TPM Quote Tools is a collection of programs that provide support \
+ for TPM based attestation using the TPM quote mechanism. The manual \
+ page for tpm_quote_tools provides a usage overview. \
+ \
+ TPM Quote Tools has been tested with TrouSerS on Linux and NTRU on \
+ Windows XP. It was ported to Windows using MinGW and MSYS. \
+ "
+HOMEPAGE = "https://sourceforge.net/projects/tpmquotetools/"
+SECTION = "security/tpm"
+LICENSE = "BSD-3-Clause"
+LIC_FILES_CHKSUM = "file://COPYING;md5=8ec30b01163d242ecf07d9cd84e3611f"
+
+DEPENDS = "libtspi tpm-tools"
+
+SRC_URI = "${SOURCEFORGE_MIRROR}/tpmquotetools/${PV}/${BP}.tar.gz"
+
+SRC_URI[md5sum] = "6e194f5bc534301bbaef53dc6d22c233"
+SRC_URI[sha256sum] = "10dc4eade02635557a9496b388360844cd18e7864e2eb882f5e45ab2fa405ae2"
+
+inherit autotools
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/tpm-tools-extendpcr.patch b/import-layers/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/tpm-tools-extendpcr.patch
new file mode 100644
index 0000000..ab5e683
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/tpm-tools-extendpcr.patch
@@ -0,0 +1,244 @@
+Index: tpm-tools-1.3.8/include/tpm_tspi.h
+===================================================================
+--- tpm-tools-1.3.8.orig/include/tpm_tspi.h 2011-08-17 08:20:35.000000000 -0400
++++ tpm-tools-1.3.8/include/tpm_tspi.h 2013-01-05 23:26:31.571598217 -0500
+@@ -117,6 +117,10 @@
+ UINT32 *a_PcrSize, BYTE **a_PcrValue);
+ TSS_RESULT pcrcompositeSetPcrValue(TSS_HPCRS a_hPcrs, UINT32 a_Idx,
+ UINT32 a_PcrSize, BYTE *a_PcrValue);
++TSS_RESULT tpmPcrExtend(TSS_HTPM a_hTpm, UINT32 a_Idx,
++ UINT32 a_DataSize, BYTE *a_Data,
++ TSS_PCR_EVENT *a_Event,
++ UINT32 *a_PcrSize, BYTE **a_PcrValue);
+ #ifdef TSS_LIB_IS_12
+ TSS_RESULT unloadVersionInfo(UINT64 *offset, BYTE *blob, TPM_CAP_VERSION_INFO *v);
+ TSS_RESULT pcrcompositeSetPcrLocality(TSS_HPCRS a_hPcrs, UINT32 localityValue);
+Index: tpm-tools-1.3.8/lib/tpm_tspi.c
+===================================================================
+--- tpm-tools-1.3.8.orig/lib/tpm_tspi.c 2011-08-17 08:20:35.000000000 -0400
++++ tpm-tools-1.3.8/lib/tpm_tspi.c 2013-01-05 23:27:37.731593490 -0500
+@@ -594,6 +594,20 @@
+ return result;
+ }
+
++TSS_RESULT
++tpmPcrExtend(TSS_HTPM a_hTpm, UINT32 a_Idx,
++ UINT32 a_DataSize, BYTE *a_Data,
++ TSS_PCR_EVENT *a_Event,
++ UINT32 *a_PcrSize, BYTE **a_PcrValue)
++{
++ TSS_RESULT result =
++ Tspi_TPM_PcrExtend(a_hTpm, a_Idx, a_DataSize, a_Data, a_Event,
++ a_PcrSize, a_PcrValue);
++ tspiResult("Tspi_TPM_PcrExtend", result);
++
++ return result;
++}
++
+ #ifdef TSS_LIB_IS_12
+ /*
+ * These getPasswd functions will wrap calls to the other functions and check to see if the TSS
+Index: tpm-tools-1.3.8/src/cmds/Makefile.am
+===================================================================
+--- tpm-tools-1.3.8.orig/src/cmds/Makefile.am 2011-08-15 13:52:08.000000000 -0400
++++ tpm-tools-1.3.8/src/cmds/Makefile.am 2013-01-05 23:30:46.223593698 -0500
+@@ -22,6 +22,7 @@
+ #
+
+ bin_PROGRAMS = tpm_sealdata \
++ tpm_extendpcr \
+ tpm_unsealdata
+
+ if TSS_LIB_IS_12
+@@ -33,4 +34,5 @@
+ LDADD = $(top_builddir)/lib/libtpm_tspi.la -ltspi $(top_builddir)/lib/libtpm_unseal.la -ltpm_unseal -lcrypto
+
+ tpm_sealdata_SOURCES = tpm_sealdata.c
++tpm_extendpcr_SOURCES = tpm_extendpcr.c
+ tpm_unsealdata_SOURCES = tpm_unsealdata.c
+Index: tpm-tools-1.3.8/src/cmds/tpm_extendpcr.c
+===================================================================
+--- /dev/null 1970-01-01 00:00:00.000000000 +0000
++++ tpm-tools-1.3.8/src/cmds/tpm_extendpcr.c 2013-01-05 23:37:43.403585514 -0500
+@@ -0,0 +1,181 @@
++/*
++ * The Initial Developer of the Original Code is International
++ * Business Machines Corporation. Portions created by IBM
++ * Corporation are Copyright (C) 2005, 2006 International Business
++ * Machines Corporation. All Rights Reserved.
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the Common Public License as published by
++ * IBM Corporation; either version 1 of the License, or (at your option)
++ * any later version.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ * Common Public License for more details.
++ *
++ * You should have received a copy of the Common Public License
++ * along with this program; if not, a copy can be viewed at
++ * http://www.opensource.org/licenses/cpl1.0.php.
++ */
++#include <openssl/evp.h>
++#include <openssl/sha.h>
++#include <limits.h>
++#include "tpm_tspi.h"
++#include "tpm_utils.h"
++#include "tpm_seal.h"
++
++// #define TPM_EXTENDPCR_DEBUG
++
++static void help(const char *aCmd)
++{
++ logCmdHelp(aCmd);
++ logCmdOption("-i, --infile FILE",
++ _
++ ("Filename containing data to extend PCRs with. Default is STDIN."));
++ logCmdOption("-p, --pcr NUMBER",
++ _("PCR to extend."));
++
++}
++
++static char in_filename[PATH_MAX] = "";
++static TSS_HPCRS hPcrs = NULL_HPCRS;
++static TSS_HTPM hTpm;
++static UINT32 selectedPcrs[24];
++static UINT32 selectedPcrsLen = 0;
++TSS_HCONTEXT hContext = 0;
++
++static int parse(const int aOpt, const char *aArg)
++{
++ int rc = -1;
++
++ switch (aOpt) {
++ case 'i':
++ if (aArg) {
++ strncpy(in_filename, aArg, PATH_MAX);
++ rc = 0;
++ }
++ break;
++ case 'p':
++ if (aArg) {
++ selectedPcrs[selectedPcrsLen++] = atoi(aArg);
++ rc = 0;
++ }
++ break;
++ default:
++ break;
++ }
++ return rc;
++
++}
++
++int main(int argc, char **argv)
++{
++
++ int iRc = -1;
++ struct option opts[] = {
++ {"infile", required_argument, NULL, 'i'},
++ {"pcr", required_argument, NULL, 'p'},
++ };
++ unsigned char line[EVP_MD_block_size(EVP_sha1()) * 16];
++ int lineLen;
++ UINT32 i;
++
++ BIO *bin = NULL;
++
++ initIntlSys();
++
++ if (genericOptHandler(argc, argv, "i:p:", opts,
++ sizeof(opts) / sizeof(struct option), parse,
++ help) != 0)
++ goto out;
++
++ if (contextCreate(&hContext) != TSS_SUCCESS)
++ goto out;
++
++ if (contextConnect(hContext) != TSS_SUCCESS)
++ goto out_close;
++
++ if (contextGetTpm(hContext, &hTpm) != TSS_SUCCESS)
++ goto out_close;
++
++ /* Create a BIO for the input file */
++ if ((bin = BIO_new(BIO_s_file())) == NULL) {
++ logError(_("Unable to open input BIO\n"));
++ goto out_close;
++ }
++
++ /* Assign the input file to the BIO */
++ if (strlen(in_filename) == 0)
++ BIO_set_fp(bin, stdin, BIO_NOCLOSE);
++ else if (!BIO_read_filename(bin, in_filename)) {
++ logError(_("Unable to open input file: %s\n"),
++ in_filename);
++ goto out_close;
++ }
++
++ /* Create the PCRs object. If any PCRs above 15 are selected, this will need to be
++ * a 1.2 TSS/TPM */
++ if (selectedPcrsLen) {
++ TSS_FLAG initFlag = 0;
++ UINT32 pcrSize;
++ BYTE *pcrValue;
++
++ for (i = 0; i < selectedPcrsLen; i++) {
++ if (selectedPcrs[i] > 15) {
++#ifdef TSS_LIB_IS_12
++ initFlag |= TSS_PCRS_STRUCT_INFO_LONG;
++#else
++ logError(_("This version of %s was compiled for a v1.1 TSS, which "
++ "can only seal\n data to PCRs 0-15. PCR %u is out of range"
++ "\n"), argv[0], selectedPcrs[i]);
++ goto out_close;
++#endif
++ }
++ }
++
++ unsigned char msg[EVP_MAX_MD_SIZE];
++ unsigned int msglen;
++ EVP_MD_CTX ctx;
++ EVP_DigestInit(&ctx, EVP_sha1());
++ while ((lineLen = BIO_read(bin, line, sizeof(line))) > 0)
++ EVP_DigestUpdate(&ctx, line, lineLen);
++ EVP_DigestFinal(&ctx, msg, &msglen);
++
++ if (contextCreateObject(hContext, TSS_OBJECT_TYPE_PCRS, initFlag,
++ &hPcrs) != TSS_SUCCESS)
++ goto out_close;
++
++ for (i = 0; i < selectedPcrsLen; i++) {
++#ifdef TPM_EXTENDPCR_DEBUG
++ if (tpmPcrRead(hTpm, selectedPcrs[i], &pcrSize, &pcrValue) != TSS_SUCCESS)
++ goto out_close;
++
++ unsigned int j;
++ for (j = 0; j < pcrSize; j++)
++ printf("%02X ", pcrValue[j]);
++ printf("\n");
++#endif
++
++ if (tpmPcrExtend(hTpm, selectedPcrs[i], msglen, msg, NULL, &pcrSize, &pcrValue) != TSS_SUCCESS)
++ goto out_close;
++
++#ifdef TPM_EXTENDPCR_DEBUG
++ for (j = 0; j < pcrSize; j++)
++ printf("%02X ", pcrValue[j]);
++ printf("\n");
++#endif
++ }
++ }
++
++ iRc = 0;
++ logSuccess(argv[0]);
++
++out_close:
++ contextClose(hContext);
++
++out:
++ if (bin)
++ BIO_free(bin);
++ return iRc;
++}
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_git.bb b/import-layers/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_git.bb
new file mode 100644
index 0000000..f670bff
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_git.bb
@@ -0,0 +1,35 @@
+SUMMARY = "The tpm-tools package contains commands to allow the platform administrator the ability to manage and diagnose the platform's TPM."
+DESCRIPTION = " \
+ The tpm-tools package contains commands to allow the platform administrator \
+ the ability to manage and diagnose the platform's TPM. Additionally, the \
+ package contains commands to utilize some of the capabilities available \
+ in the TPM PKCS#11 interface implemented in the openCryptoki project. \
+ "
+SECTION = "tpm"
+LICENSE = "CPL-1.0"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=059e8cd6165cb4c31e351f2b69388fd9"
+
+DEPENDS = "libtspi openssl"
+DEPENDS_class-native = "trousers-native"
+
+SRCREV = "5c5126bedf2da97906358adcfb8c43c86e7dd0ee"
+SRC_URI = " \
+ git://git.code.sf.net/p/trousers/tpm-tools \
+ file://tpm-tools-extendpcr.patch \
+ "
+
+PV = "1.3.9.1+git${SRCPV}"
+
+inherit autotools-brokensep gettext
+
+S = "${WORKDIR}/git"
+
+do_configure_prepend () {
+ mkdir -p po
+ mkdir -p m4
+ cp -R po_/* po/
+ touch po/Makefile.in.in
+ touch m4/Makefile.am
+}
+
+BBCLASSEXTEND = "native"
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/files/tpm2-abrmd-init.sh b/import-layers/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/files/tpm2-abrmd-init.sh
new file mode 100644
index 0000000..c8dfb7d
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/files/tpm2-abrmd-init.sh
@@ -0,0 +1,65 @@
+#!/bin/sh
+
+### BEGIN INIT INFO
+# Provides: tpm2-abrmd
+# Required-Start: $local_fs $remote_fs $network
+# Required-Stop: $local_fs $remote_fs $network
+# Should-Start:
+# Should-Stop:
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: starts tpm2-abrmd
+# Description: tpm2-abrmd implements the TCG resource manager
+### END INIT INFO
+
+PATH=/sbin:/bin:/usr/sbin:/usr/bin
+DAEMON=/usr/sbin/tpm2-abrmd
+NAME=tpm2-abrmd
+DESC="TCG TSS2 Access Broker and Resource Management daemon"
+USER="tss"
+
+test -x "${DAEMON}" || exit 0
+
+# Read configuration variable file if it is present
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+
+case "${1}" in
+ start)
+ echo -n "Starting $DESC: "
+
+ if [ ! -e /dev/tpm* ]
+ then
+ echo "device driver not loaded, skipping."
+ exit 0
+ fi
+
+ start-stop-daemon --start --quiet --oknodo --background --pidfile /var/run/${NAME}.pid --user ${USER} --chuid ${USER} --exec ${DAEMON} -- ${DAEMON_OPTS}
+ RETVAL="$?"
+ echo "$NAME."
+ [ "$RETVAL" = 0 ] && pidof $DAEMON > /var/run/${NAME}.pid
+ exit $RETVAL
+ ;;
+
+ stop)
+ echo -n "Stopping $DESC: "
+
+ start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/${NAME}.pid --user ${USER} --exec ${DAEMON}
+ RETVAL="$?"
+ echo "$NAME."
+ rm -f /var/run/${NAME}.pid
+ exit $RETVAL
+ ;;
+
+ restart|force-reload)
+ "${0}" stop
+ sleep 1
+ "${0}" start
+ exit $?
+ ;;
+ *)
+ echo "Usage: ${NAME} {start|stop|restart|force-reload|status}" >&2
+ exit 3
+ ;;
+esac
+
+exit 0
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/files/tpm2-abrmd.default b/import-layers/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/files/tpm2-abrmd.default
new file mode 100644
index 0000000..987978a
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/files/tpm2-abrmd.default
@@ -0,0 +1 @@
+DAEMON_OPTS="--tcti=device --logger=syslog --max-connections=20 --max-transient-objects=20 --fail-on-loaded-trans"
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/tpm2-abrmd_1.2.0.bb b/import-layers/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/tpm2-abrmd_1.2.0.bb
new file mode 100644
index 0000000..a5d6843
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/tpm2-abrmd_1.2.0.bb
@@ -0,0 +1,54 @@
+SUMMARY = "TPM2 Access Broker & Resource Manager"
+DESCRIPTION = "This is a system daemon implementing the TPM2 access \
+broker (TAB) & Resource Manager (RM) spec from the TCG. The daemon (tpm2-abrmd) \
+is implemented using Glib and the GObject system. In this documentation and \
+in the code we use `tpm2-abrmd` and `tabrmd` interchangeably. \
+"
+SECTION = "security/tpm"
+
+LICENSE = "BSD-2-Clause"
+LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da"
+
+DEPENDS += "autoconf-archive dbus glib-2.0 pkgconfig tpm2.0-tss glib-2.0-native"
+
+SRC_URI = "\
+ git://github.com/01org/tpm2-abrmd.git \
+ file://tpm2-abrmd-init.sh \
+ file://tpm2-abrmd.default \
+"
+SRCREV = "59ce1008e5fa3bd5a143437b0f7390851fd25bd8"
+
+S = "${WORKDIR}/git"
+
+inherit autotools pkgconfig systemd update-rc.d useradd
+
+SYSTEMD_PACKAGES += "${PN}"
+SYSTEMD_SERVICE_${PN} = "tpm2-abrmd.service"
+SYSTEMD_AUTO_ENABLE_${PN} = "disable"
+
+INITSCRIPT_NAME = "${PN}"
+INITSCRIPT_PARAMS = "start 99 2 3 4 5 . stop 19 0 1 6 ."
+
+USERADD_PACKAGES = "${PN}"
+GROUPADD_PARAM_${PN} = "tss"
+USERADD_PARAM_${PN} = "--system -M -d /var/lib/tpm -s /bin/false -g tss tss"
+
+PACKAGECONFIG ?="udev"
+PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES','systemd','systemd', '', d)}"
+
+PACKAGECONFIG[systemd] = "--with-systemdsystemunitdir=${systemd_system_unitdir}, --with-systemdsystemunitdir=no"
+PACKAGECONFIG[udev] = "--with-udevrulesdir=${sysconfdir}/udev/rules.d, --without-udevrulesdir"
+
+do_install_append() {
+ install -d "${D}${sysconfdir}/init.d"
+ install -m 0755 "${WORKDIR}/tpm2-abrmd-init.sh" "${D}${sysconfdir}/init.d/tpm2-abrmd"
+
+ install -d "${D}${sysconfdir}/default"
+ install -m 0644 "${WORKDIR}/tpm2-abrmd.default" "${D}${sysconfdir}/default/tpm2-abrmd"
+}
+
+FILES_${PN} += "${libdir}/systemd/system-preset"
+
+RDEPENDS_${PN} += "libgcc dbus-glib libtss2 libtctidevice libtctisocket"
+
+BBCLASSEXTEND = "native"
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/tpm2.0-tools/tpm2.0-tools_git.bb b/import-layers/meta-security/meta-tpm/recipes-tpm/tpm2.0-tools/tpm2.0-tools_git.bb
new file mode 100644
index 0000000..7ec12fc
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/tpm2.0-tools/tpm2.0-tools_git.bb
@@ -0,0 +1,18 @@
+SUMMARY = "Tools for TPM2."
+DESCRIPTION = "tpm2.0-tools"
+LICENSE = "BSD"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=91b7c548d73ea16537799e8060cea819"
+SECTION = "tpm"
+
+DEPENDS = "pkgconfig tpm2.0-tss openssl curl autoconf-archive"
+
+# July 10, 2017
+SRCREV = "26c0557040c1cf8107fa3ebbcf2a5b07cc84b881"
+
+SRC_URI = "git://github.com/01org/tpm2.0-tools.git;name=tpm2.0-tools;destsuffix=tpm2.0-tools"
+
+S = "${WORKDIR}/tpm2.0-tools"
+
+PV = "2.0.0+git${SRCPV}"
+
+inherit autotools pkgconfig
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss/ax_pthread.m4 b/import-layers/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss/ax_pthread.m4
new file mode 100644
index 0000000..d383ad5
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss/ax_pthread.m4
@@ -0,0 +1,332 @@
+# ===========================================================================
+# http://www.gnu.org/software/autoconf-archive/ax_pthread.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+# AX_PTHREAD([ACTION-IF-FOUND[, ACTION-IF-NOT-FOUND]])
+#
+# DESCRIPTION
+#
+# This macro figures out how to build C programs using POSIX threads. It
+# sets the PTHREAD_LIBS output variable to the threads library and linker
+# flags, and the PTHREAD_CFLAGS output variable to any special C compiler
+# flags that are needed. (The user can also force certain compiler
+# flags/libs to be tested by setting these environment variables.)
+#
+# Also sets PTHREAD_CC to any special C compiler that is needed for
+# multi-threaded programs (defaults to the value of CC otherwise). (This
+# is necessary on AIX to use the special cc_r compiler alias.)
+#
+# NOTE: You are assumed to not only compile your program with these flags,
+# but also link it with them as well. e.g. you should link with
+# $PTHREAD_CC $CFLAGS $PTHREAD_CFLAGS $LDFLAGS ... $PTHREAD_LIBS $LIBS
+#
+# If you are only building threads programs, you may wish to use these
+# variables in your default LIBS, CFLAGS, and CC:
+#
+# LIBS="$PTHREAD_LIBS $LIBS"
+# CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
+# CC="$PTHREAD_CC"
+#
+# In addition, if the PTHREAD_CREATE_JOINABLE thread-attribute constant
+# has a nonstandard name, defines PTHREAD_CREATE_JOINABLE to that name
+# (e.g. PTHREAD_CREATE_UNDETACHED on AIX).
+#
+# Also HAVE_PTHREAD_PRIO_INHERIT is defined if pthread is found and the
+# PTHREAD_PRIO_INHERIT symbol is defined when compiling with
+# PTHREAD_CFLAGS.
+#
+# ACTION-IF-FOUND is a list of shell commands to run if a threads library
+# is found, and ACTION-IF-NOT-FOUND is a list of commands to run it if it
+# is not found. If ACTION-IF-FOUND is not specified, the default action
+# will define HAVE_PTHREAD.
+#
+# Please let the authors know if this macro fails on any platform, or if
+# you have any other suggestions or comments. This macro was based on work
+# by SGJ on autoconf scripts for FFTW (http://www.fftw.org/) (with help
+# from M. Frigo), as well as ac_pthread and hb_pthread macros posted by
+# Alejandro Forero Cuervo to the autoconf macro repository. We are also
+# grateful for the helpful feedback of numerous users.
+#
+# Updated for Autoconf 2.68 by Daniel Richard G.
+#
+# LICENSE
+#
+# Copyright (c) 2008 Steven G. Johnson <stevenj@alum.mit.edu>
+# Copyright (c) 2011 Daniel Richard G. <skunk@iSKUNK.ORG>
+#
+# This program is free software: you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation, either version 3 of the License, or (at your
+# option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
+# Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+# As a special exception, the respective Autoconf Macro's copyright owner
+# gives unlimited permission to copy, distribute and modify the configure
+# scripts that are the output of Autoconf when processing the Macro. You
+# need not follow the terms of the GNU General Public License when using
+# or distributing such scripts, even though portions of the text of the
+# Macro appear in them. The GNU General Public License (GPL) does govern
+# all other use of the material that constitutes the Autoconf Macro.
+#
+# This special exception to the GPL applies to versions of the Autoconf
+# Macro released by the Autoconf Archive. When you make and distribute a
+# modified version of the Autoconf Macro, you may extend this special
+# exception to the GPL to apply to your modified version as well.
+
+#serial 21
+
+AU_ALIAS([ACX_PTHREAD], [AX_PTHREAD])
+AC_DEFUN([AX_PTHREAD], [
+AC_REQUIRE([AC_CANONICAL_HOST])
+AC_LANG_PUSH([C])
+ax_pthread_ok=no
+
+# We used to check for pthread.h first, but this fails if pthread.h
+# requires special compiler flags (e.g. on True64 or Sequent).
+# It gets checked for in the link test anyway.
+
+# First of all, check if the user has set any of the PTHREAD_LIBS,
+# etcetera environment variables, and if threads linking works using
+# them:
+if test x"$PTHREAD_LIBS$PTHREAD_CFLAGS" != x; then
+ save_CFLAGS="$CFLAGS"
+ CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
+ save_LIBS="$LIBS"
+ LIBS="$PTHREAD_LIBS $LIBS"
+ AC_MSG_CHECKING([for pthread_join in LIBS=$PTHREAD_LIBS with CFLAGS=$PTHREAD_CFLAGS])
+ AC_TRY_LINK_FUNC([pthread_join], [ax_pthread_ok=yes])
+ AC_MSG_RESULT([$ax_pthread_ok])
+ if test x"$ax_pthread_ok" = xno; then
+ PTHREAD_LIBS=""
+ PTHREAD_CFLAGS=""
+ fi
+ LIBS="$save_LIBS"
+ CFLAGS="$save_CFLAGS"
+fi
+
+# We must check for the threads library under a number of different
+# names; the ordering is very important because some systems
+# (e.g. DEC) have both -lpthread and -lpthreads, where one of the
+# libraries is broken (non-POSIX).
+
+# Create a list of thread flags to try. Items starting with a "-" are
+# C compiler flags, and other items are library names, except for "none"
+# which indicates that we try without any flags at all, and "pthread-config"
+# which is a program returning the flags for the Pth emulation library.
+
+ax_pthread_flags="pthreads none -Kthread -kthread lthread -pthread -pthreads -mthreads pthread --thread-safe -mt pthread-config"
+
+# The ordering *is* (sometimes) important. Some notes on the
+# individual items follow:
+
+# pthreads: AIX (must check this before -lpthread)
+# none: in case threads are in libc; should be tried before -Kthread and
+# other compiler flags to prevent continual compiler warnings
+# -Kthread: Sequent (threads in libc, but -Kthread needed for pthread.h)
+# -kthread: FreeBSD kernel threads (preferred to -pthread since SMP-able)
+# lthread: LinuxThreads port on FreeBSD (also preferred to -pthread)
+# -pthread: Linux/gcc (kernel threads), BSD/gcc (userland threads)
+# -pthreads: Solaris/gcc
+# -mthreads: Mingw32/gcc, Lynx/gcc
+# -mt: Sun Workshop C (may only link SunOS threads [-lthread], but it
+# doesn't hurt to check since this sometimes defines pthreads too;
+# also defines -D_REENTRANT)
+# ... -mt is also the pthreads flag for HP/aCC
+# pthread: Linux, etcetera
+# --thread-safe: KAI C++
+# pthread-config: use pthread-config program (for GNU Pth library)
+
+case ${host_os} in
+ solaris*)
+
+ # On Solaris (at least, for some versions), libc contains stubbed
+ # (non-functional) versions of the pthreads routines, so link-based
+ # tests will erroneously succeed. (We need to link with -pthreads/-mt/
+ # -lpthread.) (The stubs are missing pthread_cleanup_push, or rather
+ # a function called by this macro, so we could check for that, but
+ # who knows whether they'll stub that too in a future libc.) So,
+ # we'll just look for -pthreads and -lpthread first:
+
+ ax_pthread_flags="-pthreads pthread -mt -pthread $ax_pthread_flags"
+ ;;
+
+ darwin*)
+ ax_pthread_flags="-pthread $ax_pthread_flags"
+ ;;
+esac
+
+# Clang doesn't consider unrecognized options an error unless we specify
+# -Werror. We throw in some extra Clang-specific options to ensure that
+# this doesn't happen for GCC, which also accepts -Werror.
+
+AC_MSG_CHECKING([if compiler needs -Werror to reject unknown flags])
+save_CFLAGS="$CFLAGS"
+ax_pthread_extra_flags="-Werror"
+CFLAGS="$CFLAGS $ax_pthread_extra_flags -Wunknown-warning-option -Wsizeof-array-argument"
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([int foo(void);],[foo()])],
+ [AC_MSG_RESULT([yes])],
+ [ax_pthread_extra_flags=
+ AC_MSG_RESULT([no])])
+CFLAGS="$save_CFLAGS"
+
+if test x"$ax_pthread_ok" = xno; then
+for flag in $ax_pthread_flags; do
+
+ case $flag in
+ none)
+ AC_MSG_CHECKING([whether pthreads work without any flags])
+ ;;
+
+ -*)
+ AC_MSG_CHECKING([whether pthreads work with $flag])
+ PTHREAD_CFLAGS="$flag"
+ ;;
+
+ pthread-config)
+ AC_CHECK_PROG([ax_pthread_config], [pthread-config], [yes], [no])
+ if test x"$ax_pthread_config" = xno; then continue; fi
+ PTHREAD_CFLAGS="`pthread-config --cflags`"
+ PTHREAD_LIBS="`pthread-config --ldflags` `pthread-config --libs`"
+ ;;
+
+ *)
+ AC_MSG_CHECKING([for the pthreads library -l$flag])
+ PTHREAD_LIBS="-l$flag"
+ ;;
+ esac
+
+ save_LIBS="$LIBS"
+ save_CFLAGS="$CFLAGS"
+ LIBS="$PTHREAD_LIBS $LIBS"
+ CFLAGS="$CFLAGS $PTHREAD_CFLAGS $ax_pthread_extra_flags"
+
+ # Check for various functions. We must include pthread.h,
+ # since some functions may be macros. (On the Sequent, we
+ # need a special flag -Kthread to make this header compile.)
+ # We check for pthread_join because it is in -lpthread on IRIX
+ # while pthread_create is in libc. We check for pthread_attr_init
+ # due to DEC craziness with -lpthreads. We check for
+ # pthread_cleanup_push because it is one of the few pthread
+ # functions on Solaris that doesn't have a non-functional libc stub.
+ # We try pthread_create on general principles.
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <pthread.h>
+ static void routine(void *a) { a = 0; }
+ static void *start_routine(void *a) { return a; }],
+ [pthread_t th; pthread_attr_t attr;
+ pthread_create(&th, 0, start_routine, 0);
+ pthread_join(th, 0);
+ pthread_attr_init(&attr);
+ pthread_cleanup_push(routine, 0);
+ pthread_cleanup_pop(0) /* ; */])],
+ [ax_pthread_ok=yes],
+ [])
+
+ LIBS="$save_LIBS"
+ CFLAGS="$save_CFLAGS"
+
+ AC_MSG_RESULT([$ax_pthread_ok])
+ if test "x$ax_pthread_ok" = xyes; then
+ break;
+ fi
+
+ PTHREAD_LIBS=""
+ PTHREAD_CFLAGS=""
+done
+fi
+
+# Various other checks:
+if test "x$ax_pthread_ok" = xyes; then
+ save_LIBS="$LIBS"
+ LIBS="$PTHREAD_LIBS $LIBS"
+ save_CFLAGS="$CFLAGS"
+ CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
+
+ # Detect AIX lossage: JOINABLE attribute is called UNDETACHED.
+ AC_MSG_CHECKING([for joinable pthread attribute])
+ attr_name=unknown
+ for attr in PTHREAD_CREATE_JOINABLE PTHREAD_CREATE_UNDETACHED; do
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <pthread.h>],
+ [int attr = $attr; return attr /* ; */])],
+ [attr_name=$attr; break],
+ [])
+ done
+ AC_MSG_RESULT([$attr_name])
+ if test "$attr_name" != PTHREAD_CREATE_JOINABLE; then
+ AC_DEFINE_UNQUOTED([PTHREAD_CREATE_JOINABLE], [$attr_name],
+ [Define to necessary symbol if this constant
+ uses a non-standard name on your system.])
+ fi
+
+ AC_MSG_CHECKING([if more special flags are required for pthreads])
+ flag=no
+ case ${host_os} in
+ aix* | freebsd* | darwin*) flag="-D_THREAD_SAFE";;
+ osf* | hpux*) flag="-D_REENTRANT";;
+ solaris*)
+ if test "$GCC" = "yes"; then
+ flag="-D_REENTRANT"
+ else
+ # TODO: What about Clang on Solaris?
+ flag="-mt -D_REENTRANT"
+ fi
+ ;;
+ esac
+ AC_MSG_RESULT([$flag])
+ if test "x$flag" != xno; then
+ PTHREAD_CFLAGS="$flag $PTHREAD_CFLAGS"
+ fi
+
+ AC_CACHE_CHECK([for PTHREAD_PRIO_INHERIT],
+ [ax_cv_PTHREAD_PRIO_INHERIT], [
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <pthread.h>]],
+ [[int i = PTHREAD_PRIO_INHERIT;]])],
+ [ax_cv_PTHREAD_PRIO_INHERIT=yes],
+ [ax_cv_PTHREAD_PRIO_INHERIT=no])
+ ])
+ AS_IF([test "x$ax_cv_PTHREAD_PRIO_INHERIT" = "xyes"],
+ [AC_DEFINE([HAVE_PTHREAD_PRIO_INHERIT], [1], [Have PTHREAD_PRIO_INHERIT.])])
+
+ LIBS="$save_LIBS"
+ CFLAGS="$save_CFLAGS"
+
+ # More AIX lossage: compile with *_r variant
+ if test "x$GCC" != xyes; then
+ case $host_os in
+ aix*)
+ AS_CASE(["x/$CC"],
+ [x*/c89|x*/c89_128|x*/c99|x*/c99_128|x*/cc|x*/cc128|x*/xlc|x*/xlc_v6|x*/xlc128|x*/xlc128_v6],
+ [#handle absolute path differently from PATH based program lookup
+ AS_CASE(["x$CC"],
+ [x/*],
+ [AS_IF([AS_EXECUTABLE_P([${CC}_r])],[PTHREAD_CC="${CC}_r"])],
+ [AC_CHECK_PROGS([PTHREAD_CC],[${CC}_r],[$CC])])])
+ ;;
+ esac
+ fi
+fi
+
+test -n "$PTHREAD_CC" || PTHREAD_CC="$CC"
+
+AC_SUBST([PTHREAD_LIBS])
+AC_SUBST([PTHREAD_CFLAGS])
+AC_SUBST([PTHREAD_CC])
+
+# Finally, execute ACTION-IF-FOUND/ACTION-IF-NOT-FOUND:
+if test x"$ax_pthread_ok" = xyes; then
+ ifelse([$1],,[AC_DEFINE([HAVE_PTHREAD],[1],[Define if you have POSIX threads libraries and header files.])],[$1])
+ :
+else
+ ax_pthread_ok=no
+ $2
+fi
+AC_LANG_POP
+])dnl AX_PTHREAD
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss/fix_musl_select_include.patch b/import-layers/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss/fix_musl_select_include.patch
new file mode 100644
index 0000000..ecaca6e
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss/fix_musl_select_include.patch
@@ -0,0 +1,31 @@
+This fixes musl build issue do to missing FD_* defines.
+Add sys/select.h
+
+Upstream-Status: Pending
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+Index: TPM2.0-TSS/tcti/tcti_socket.cpp
+===================================================================
+--- TPM2.0-TSS.orig/tcti/tcti_socket.cpp
++++ TPM2.0-TSS/tcti/tcti_socket.cpp
+@@ -28,6 +28,7 @@
+ #include <stdio.h>
+ #include <stdlib.h> // Needed for _wtoi
+
++#include "sys/select.h"
+ #include <sapi/tpm20.h>
+ #include <tcti/tcti_socket.h>
+ #include "sysapi_util.h"
+Index: TPM2.0-TSS/resourcemgr/resourcemgr.c
+===================================================================
+--- TPM2.0-TSS.orig/resourcemgr/resourcemgr.c
++++ TPM2.0-TSS/resourcemgr/resourcemgr.c
+@@ -28,6 +28,7 @@
+ #include <stdio.h>
+ #include <stdlib.h> // Needed for _wtoi
+
++#include "sys/select.h"
+ #include <sapi/tpm20.h>
+ #include <tcti/tcti_device.h>
+ #include <tcti/tcti_socket.h>
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss_1.3.0.bb b/import-layers/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss_1.3.0.bb
new file mode 100644
index 0000000..b673c2b
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss_1.3.0.bb
@@ -0,0 +1,99 @@
+SUMMARY = "Software stack for TPM2."
+DESCRIPTION = "tpm2.0-tss like woah."
+LICENSE = "BSD-2-Clause"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da"
+SECTION = "tpm"
+
+DEPENDS = "autoconf-archive pkgconfig"
+
+SRCREV = "b1d9ece8c6bea2e3043943b2edfaebcdca330c38"
+
+SRC_URI = " \
+ git://github.com/tpm2-software/tpm2-tss.git;branch=1.x \
+ file://ax_pthread.m4 \
+"
+
+inherit autotools pkgconfig systemd
+
+S = "${WORKDIR}/git"
+
+do_configure_prepend () {
+ mkdir -p ${S}/m4
+ cp ${WORKDIR}/ax_pthread.m4 ${S}/m4
+ # execute the bootstrap script
+ currentdir=$(pwd)
+ cd ${S}
+ ACLOCAL="aclocal --system-acdir=${STAGING_DATADIR}/aclocal" ./bootstrap
+ cd $currentdir
+}
+
+INHERIT += "extrausers"
+EXTRA_USERS_PARAMS = "\
+ useradd -p '' tss; \
+ groupadd tss; \
+ "
+
+SYSTEMD_PACKAGES = "resourcemgr"
+SYSTEMD_SERVICE_resourcemgr = "resourcemgr.service"
+SYSTEMD_AUTO_ENABLE_resourcemgr = "enable"
+
+do_patch[postfuncs] += "${@bb.utils.contains('VIRTUAL-RUNTIME_init_manager','systemd','fix_systemd_unit','', d)}"
+fix_systemd_unit () {
+ sed -i -e 's;^ExecStart=.*/resourcemgr;ExecStart=${sbindir}/resourcemgr;' ${S}/contrib/resourcemgr.service
+}
+
+do_install_append() {
+ if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
+ install -d ${D}${systemd_system_unitdir}
+ install -m0644 ${S}/contrib/resourcemgr.service ${D}${systemd_system_unitdir}/resourcemgr.service
+ fi
+}
+
+PROVIDES = "${PACKAGES}"
+PACKAGES = " \
+ ${PN}-dbg \
+ ${PN}-doc \
+ libtss2 \
+ libtss2-dev \
+ libtss2-staticdev \
+ libtctidevice \
+ libtctidevice-dev \
+ libtctidevice-staticdev \
+ libtctisocket \
+ libtctisocket-dev \
+ libtctisocket-staticdev \
+ resourcemgr \
+"
+
+FILES_libtss2 = " \
+ ${libdir}/libsapi.so.0.0.0 \
+ ${libdir}/libmarshal.so.0.0.0 \
+"
+FILES_libtss2-dev = " \
+ ${includedir}/sapi \
+ ${includedir}/tcti/common.h \
+ ${libdir}/libsapi.so* \
+ ${libdir}/libmarshal.so* \
+ ${libdir}/pkgconfig/sapi.pc \
+"
+FILES_libtss2-staticdev = " \
+ ${libdir}/libsapi.a \
+ ${libdir}/libsapi.la \
+ ${libdir}/libmarshal.a \
+ ${libdir}/libmarshal.la \
+"
+FILES_libtctidevice = "${libdir}/libtcti-device.so.0.0.0"
+FILES_libtctidevice-dev = " \
+ ${includedir}/tcti/tcti_device.h \
+ ${libdir}/libtcti-device.so* \
+ ${libdir}/pkgconfig/tcti-device.pc \
+"
+FILES_libtctidevice-staticdev = "${libdir}/libtcti-device.*a"
+FILES_libtctisocket = "${libdir}/libtcti-socket.so.0.0.0"
+FILES_libtctisocket-dev = " \
+ ${includedir}/tcti/tcti_socket.h \
+ ${libdir}/libtcti-socket.so* \
+ ${libdir}/pkgconfig/tcti-socket.pc \
+"
+FILES_libtctisocket-staticdev = "${libdir}/libtcti-socket.*a"
+FILES_resourcemgr = "${sbindir}/resourcemgr ${systemd_system_unitdir}/resourcemgr.service"
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/tpm2simulator/tpm2simulator-native_138.bb b/import-layers/meta-security/meta-tpm/recipes-tpm/tpm2simulator/tpm2simulator-native_138.bb
new file mode 100644
index 0000000..866791c
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/tpm2simulator/tpm2simulator-native_138.bb
@@ -0,0 +1,22 @@
+SUMMARY = "TPM 2.0 Simulator Extraction Script"
+LICENSE = "BSD-2-Clause"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=1415f7be284540b81d9d28c67c1a6b8b"
+
+DEPENDS = "python"
+
+SRCREV = "e45324eba268723d39856111e7933c5c76238481"
+SRC_URI = "git://github.com/stwagnr/tpm2simulator.git"
+
+S = "${WORKDIR}/git"
+OECMAKE_SOURCEPATH = "${S}/cmake"
+
+inherit native lib_package cmake
+
+EXTRA_OECMAKE = " \
+ -DCMAKE_BUILD_TYPE=Debug \
+ -DSPEC_VERSION=138 \
+"
+
+do_configure_prepend () {
+ sed -i 's/^SET = False/SET = True/' ${S}/scripts/settings.py
+}
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/trousers/files/0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch b/import-layers/meta-security/meta-tpm/recipes-tpm/trousers/files/0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch
new file mode 100644
index 0000000..7b3cc77
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/trousers/files/0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch
@@ -0,0 +1,68 @@
+From 3396fc7a184293c23135161f034802062f7f3816 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Andr=C3=A9=20Draszik?= <adraszik@tycoint.com>
+Date: Wed, 1 Nov 2017 11:41:48 +0000
+Subject: [PATCH] build: don't override --localstatedir --mandir --sysconfdir
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+It is currently impossible to override localstatedir,
+mandir and sysconfdir during ./configure, because they
+are being overriden unconditionally because of they
+way trousers is built using rpmbuild.
+
+If they need massaging for rpmbuild, the values should
+be specified inside the spec file, not in ./configure
+and thereby overriding user-requested values.
+
+With this patch it is now possible to set above
+locations as needed. The .spec file is being modified
+as well so as to restore previous behaviour.
+
+Signed-off-by: André Draszik <adraszik@tycoint.com>
+---
+Upstream-Status: Submitted [https://sourceforge.net/p/trousers/mailman/message/36099290/]
+Signed-off-by: André Draszik <adraszik@tycoint.com>
+ configure.ac | 11 ++---------
+ dist/trousers.spec.in | 2 +-
+ 2 files changed, 3 insertions(+), 10 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index b9626af..7fe5f8e 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -376,16 +376,9 @@ CFLAGS="$CFLAGS -I../include \
+ KERNEL_VERSION=`uname -r`
+ AC_SUBST(CFLAGS)
+
+-# When we build the rpms, prefix will be /usr. This'll do some things that make sense,
+-# like put our sbin stuff in /usr/sbin and our library in /usr/lib. It'll do some other
+-# things that don't make sense like put our config file in /usr/etc. So, I'll just hack
+-# it here. If the --prefix option isn't specified during configure, let it all go to
++# If the --prefix option isn't specified during configure, let it all go to
+ # /usr/local, even /usr/local/etc. :-P
+-if test x"${prefix}" = x"/usr"; then
+- sysconfdir="/etc"
+- localstatedir="/var"
+- mandir="/usr/share/man"
+-elif test x"${prefix}" = x"NONE"; then
++if test x"${prefix}" = x"NONE"; then
+ localstatedir="/usr/local/var"
+ fi
+
+diff --git a/dist/trousers.spec.in b/dist/trousers.spec.in
+index b298b0e..10ef178 100644
+--- a/dist/trousers.spec.in
++++ b/dist/trousers.spec.in
+@@ -45,7 +45,7 @@ applications.
+
+ %build
+ %{?arch64:export PKG_CONFIG_PATH=%{pkgconfig_path}:$PKG_CONFIG_PATH}
+-./configure --prefix=/usr --libdir=%{_libdir}
++./configure --prefix=/usr --libdir=%{_libdir} --sysconfdir=/etc --localstatedir=/var --mandir=/usr/share/man
+ make
+
+ %clean
+--
+2.15.0.rc1
+
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/trousers/files/get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch b/import-layers/meta-security/meta-tpm/recipes-tpm/trousers/files/get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch
new file mode 100644
index 0000000..3f5a144
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/trousers/files/get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch
@@ -0,0 +1,49 @@
+trousers: fix compiling with musl
+
+use POSIX getpwent instead of getpwent_r
+
+Upstream-Status: Submitted
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+Index: git/src/tspi/ps/tspps.c
+===================================================================
+--- git.orig/src/tspi/ps/tspps.c
++++ git/src/tspi/ps/tspps.c
+@@ -66,9 +66,6 @@ get_user_ps_path(char **file)
+ TSS_RESULT result;
+ char *file_name = NULL, *home_dir = NULL;
+ struct passwd *pwp;
+-#if (defined (__linux) || defined (linux) || defined(__GLIBC__))
+- struct passwd pw;
+-#endif
+ struct stat stat_buf;
+ char buf[PASSWD_BUFSIZE];
+ uid_t euid;
+@@ -96,24 +93,15 @@ get_user_ps_path(char **file)
+ #else
+ setpwent();
+ while (1) {
+-#if (defined (__linux) || defined (linux) || defined(__GLIBC__))
+- rc = getpwent_r(&pw, buf, PASSWD_BUFSIZE, &pwp);
+- if (rc) {
+- LogDebugFn("USER PS: Error getting path to home directory: getpwent_r: %s",
+- strerror(rc));
+- endpwent();
+- return TSPERR(TSS_E_INTERNAL_ERROR);
+- }
+-
+-#elif (defined (__FreeBSD__) || defined (__OpenBSD__))
+ if ((pwp = getpwent()) == NULL) {
+ LogDebugFn("USER PS: Error getting path to home directory: getpwent: %s",
+ strerror(rc));
+ endpwent();
++#if (defined (__FreeBSD__) || defined (__OpenBSD__))
+ MUTEX_UNLOCK(user_ps_path);
++#endif
+ return TSPERR(TSS_E_INTERNAL_ERROR);
+ }
+-#endif
+ if (euid == pwp->pw_uid) {
+ home_dir = strdup(pwp->pw_dir);
+ break;
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/trousers/files/tcsd.service b/import-layers/meta-security/meta-tpm/recipes-tpm/trousers/files/tcsd.service
new file mode 100644
index 0000000..787d4e9
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/trousers/files/tcsd.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=TCG Core Services Daemon
+After=syslog.target
+
+[Service]
+Type=forking
+ExecStart=@SBINDIR@/tcsd
+
+[Install]
+WantedBy=multi-user.target
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/trousers/files/trousers-udev.rules b/import-layers/meta-security/meta-tpm/recipes-tpm/trousers/files/trousers-udev.rules
new file mode 100644
index 0000000..256babd
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/trousers/files/trousers-udev.rules
@@ -0,0 +1,2 @@
+# trousers daemon expects tpm device to be owned by tss user & group
+KERNEL=="tpm[0-9]*", MODE="0600", OWNER="tss", GROUP="tss"
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/trousers/files/trousers.init.sh b/import-layers/meta-security/meta-tpm/recipes-tpm/trousers/files/trousers.init.sh
new file mode 100644
index 0000000..d0d6cb3
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/trousers/files/trousers.init.sh
@@ -0,0 +1,67 @@
+#!/bin/sh
+
+### BEGIN INIT INFO
+# Provides: tcsd trousers
+# Required-Start: $local_fs $remote_fs $network
+# Required-Stop: $local_fs $remote_fs $network
+# Should-Start:
+# Should-Stop:
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: starts tcsd
+# Description: tcsd belongs to the TrouSerS TCG Software Stack
+### END INIT INFO
+
+PATH=/sbin:/bin:/usr/sbin:/usr/bin
+DAEMON=/usr/sbin/tcsd
+NAME=tcsd
+DESC="Trusted Computing daemon"
+USER="tss"
+
+test -x "${DAEMON}" || exit 0
+
+# Read configuration variable file if it is present
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+
+case "${1}" in
+ start)
+ echo "Starting $DESC: "
+
+ if [ ! -e /dev/tpm* ]
+ then
+ echo "device driver not loaded, skipping."
+ exit 0
+ fi
+
+ start-stop-daemon --start --quiet --oknodo \
+ --pidfile /var/run/${NAME}.pid --make-pidfile --background \
+ --user ${USER} --chuid ${USER} \
+ --exec ${DAEMON} -- ${DAEMON_OPTS} --foreground
+ RETVAL="$?"
+ echo "$NAME."
+ exit $RETVAL
+ ;;
+
+ stop)
+ echo "Stopping $DESC: "
+
+ start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/${NAME}.pid --user ${USER} --exec ${DAEMON}
+ RETVAL="$?"
+ echo "$NAME."
+ rm -f /var/run/${NAME}.pid
+ exit $RETVAL
+ ;;
+
+ restart|force-reload)
+ "${0}" stop
+ sleep 1
+ "${0}" start
+ exit $?
+ ;;
+ *)
+ echo "Usage: ${NAME} {start|stop|restart|force-reload|status}" >&2
+ exit 3
+ ;;
+esac
+
+exit 0
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb b/import-layers/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb
new file mode 100644
index 0000000..fe8f557
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb
@@ -0,0 +1,118 @@
+SUMMARY = "TrouSerS - An open-source TCG Software Stack implementation."
+LICENSE = "BSD"
+HOMEPAGE = "http://sourceforge.net/projects/trousers/"
+LIC_FILES_CHKSUM = "file://README;startline=3;endline=4;md5=2af28fbed0832e4d83a9e6dd68bb4413"
+SECTION = "security/tpm"
+
+DEPENDS = "openssl"
+
+SRCREV = "4b9a70d5789b0b74f43957a6c19ab2156a72d3e0"
+PV = "0.3.14+git${SRCPV}"
+
+SRC_URI = " \
+ git://git.code.sf.net/p/trousers/trousers \
+ file://trousers.init.sh \
+ file://trousers-udev.rules \
+ file://tcsd.service \
+ file://get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch \
+ file://0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch \
+ "
+
+S = "${WORKDIR}/git"
+
+inherit autotools pkgconfig useradd update-rc.d ${@bb.utils.contains('VIRTUAL-RUNTIME_init_manager','systemd','systemd','', d)}
+
+PACKAGECONFIG ?= "gmp "
+PACKAGECONFIG[gmp] = "--with-gmp, --with-gmp=no, gmp"
+PACKAGECONFIG[gtk] = "--with-gui=gtk, --with-gui=none, gtk+"
+
+do_install () {
+ oe_runmake DESTDIR=${D} install
+}
+
+do_install_append() {
+ install -d ${D}${sysconfdir}/init.d
+ install -m 0755 ${WORKDIR}/trousers.init.sh ${D}${sysconfdir}/init.d/trousers
+ install -d ${D}${sysconfdir}/udev/rules.d
+ install -m 0644 ${WORKDIR}/trousers-udev.rules ${D}${sysconfdir}/udev/rules.d/45-trousers.rules
+
+ if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
+ install -d ${D}${systemd_unitdir}/system
+ install -m 0644 ${WORKDIR}/tcsd.service ${D}${systemd_unitdir}/system/
+ sed -i -e 's#@SBINDIR@#${sbindir}#g' ${D}${systemd_unitdir}/system/tcsd.service
+ fi
+}
+
+CONFFILES_${PN} += "${sysconfig}/tcsd.conf"
+
+PROVIDES = "${PACKAGES}"
+PACKAGES = " \
+ libtspi \
+ libtspi-dbg \
+ libtspi-dev \
+ libtspi-doc \
+ libtspi-staticdev \
+ trousers \
+ trousers-dbg \
+ trousers-doc \
+ "
+
+# libtspi needs tcsd for most (all?) operations, so suggest to
+# install that.
+RRECOMMENDS_libtspi = "${PN}"
+
+FILES_libtspi = " \
+ ${libdir}/*.so.1 \
+ ${libdir}/*.so.1.2.0 \
+ "
+FILES_libtspi-dbg = " \
+ ${libdir}/.debug \
+ ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/tspi \
+ ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/trspi \
+ ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/include/*.h \
+ ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/include/tss \
+ "
+FILES_libtspi-dev = " \
+ ${includedir} \
+ ${libdir}/*.so \
+ "
+FILES_libtspi-doc = " \
+ ${mandir}/man3 \
+ "
+FILES_libtspi-staticdev = " \
+ ${libdir}/*.la \
+ ${libdir}/*.a \
+ "
+FILES_${PN} = " \
+ ${sbindir}/tcsd \
+ ${sysconfdir} \
+ ${localstatedir} \
+ "
+
+FILES_${PN}-dev += "${libdir}/trousers"
+
+FILES_${PN}-dbg = " \
+ ${sbindir}/.debug \
+ ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/tcs \
+ ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/tcsd \
+ ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/tddl \
+ ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/trousers \
+ ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/include/trousers \
+ "
+FILES_${PN}-doc = " \
+ ${mandir}/man5 \
+ ${mandir}/man8 \
+ "
+
+INITSCRIPT_NAME = "trousers"
+INITSCRIPT_PARAMS = "start 99 2 3 4 5 . stop 19 0 1 6 ."
+
+USERADD_PACKAGES = "${PN}"
+GROUPADD_PARAM_${PN} = "--system tss"
+USERADD_PARAM_${PN} = "--system -M -d /var/lib/tpm -s /bin/false -g tss tss"
+
+SYSTEMD_PACKAGES = "${PN}"
+SYSTEMD_SERVICE_${PN} = "tcsd.service"
+SYSTEMD_AUTO_ENABLE = "disable"
+
+BBCLASSEXTEND = "native"