From 75f77e757039e1ef61d1b4c27cde0c8ec0d019c1 Mon Sep 17 00:00:00 2001 From: Morgan Jones Date: Wed, 21 May 2025 01:01:26 -0700 Subject: [PATCH 1/3] tpm2-pkcs11: export abrmd passthru security.tpm2 should depend on this for the default PKCS#11 module. --- pkgs/by-name/tp/tpm2-pkcs11/package.nix | 30 ++++++++++++++++--------- 1 file changed, 19 insertions(+), 11 deletions(-) diff --git a/pkgs/by-name/tp/tpm2-pkcs11/package.nix b/pkgs/by-name/tp/tpm2-pkcs11/package.nix index ac79ea43d0cf..17d53d293bbf 100644 --- a/pkgs/by-name/tp/tpm2-pkcs11/package.nix +++ b/pkgs/by-name/tp/tpm2-pkcs11/package.nix @@ -222,18 +222,26 @@ chosenStdenv.mkDerivation (finalAttrs: { $out/lib/libtpm2_pkcs11.so.0.0.0 ''; - passthru = { + passthru = rec { + esapi = tpm2-pkcs11-esapi; + fapi = tpm2-pkcs11-fapi; + abrmd = tpm2-pkcs11.override { + abrmdSupport = true; + }; + esapi-abrmd = tpm2-pkcs11-esapi.override { + abrmdSupport = true; + }; + fapi-abrmd = tpm2-pkcs11-fapi.override { + abrmdSupport = true; + }; tests = { - inherit tpm2-pkcs11-esapi tpm2-pkcs11-fapi; - tpm2-pkcs11-abrmd = tpm2-pkcs11.override { - abrmdSupport = true; - }; - tpm2-pkcs11-esapi-abrmd = tpm2-pkcs11-esapi.override { - abrmdSupport = true; - }; - tpm2-pkcs11-fapi-abrmd = tpm2-pkcs11-fapi.override { - abrmdSupport = true; - }; + inherit + esapi + fapi + abrmd + esapi-abrmd + fapi-abrmd + ; }; }; From 9c1564e395cae6fe9106fafcaf00a7984e244541 Mon Sep 17 00:00:00 2001 From: Morgan Jones Date: Wed, 21 May 2025 01:03:21 -0700 Subject: [PATCH 2/3] nixos/tpm2: default pkcs#11 module based on abrmd config Since there are now variants of tpm2-pkcs11 with and without ABRMD support (for the kernel resource manager), ensure we pick the correct default. Fixes an accidental backwards incompatibility with the module. --- nixos/modules/security/tpm2.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nixos/modules/security/tpm2.nix b/nixos/modules/security/tpm2.nix index f60adb24cdbe..bb947cb32a56 100644 --- a/nixos/modules/security/tpm2.nix +++ b/nixos/modules/security/tpm2.nix @@ -75,8 +75,8 @@ in package = lib.mkOption { description = "tpm2-pkcs11 package to use"; type = lib.types.package; - default = pkgs.tpm2-pkcs11; - defaultText = lib.literalExpression "pkgs.tpm2-pkcs11"; + default = if cfg.abrmd.enable then pkgs.tpm2-pkcs11.abrmd else pkgs.tpm2-pkcs11; + defaultText = lib.literalExpression "if config.security.tpm2.abrmd.enable then pkgs.tpm2-pkcs11.abrmd else pkgs.tpm2-pkcs11"; }; }; From f86ebd9ac5751620810149f84176e9309e10303b Mon Sep 17 00:00:00 2001 From: Morgan Jones Date: Wed, 21 May 2025 01:04:37 -0700 Subject: [PATCH 3/3] release-notes: document tpm2-pkcs11 abrmd changes for 25.05 --- doc/release-notes/rl-2505.section.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/doc/release-notes/rl-2505.section.md b/doc/release-notes/rl-2505.section.md index fb46f6ac04d6..8ae1797aaf1a 100644 --- a/doc/release-notes/rl-2505.section.md +++ b/doc/release-notes/rl-2505.section.md @@ -232,6 +232,8 @@ - `dwarf-fortress-packages` now only contains one minor version for each major version since version 0.44. Saves should still be compatible, but you may have to change which minor version you were using if it was one other than the newest. +- `tpm2-pkcs11` now is compiled without abrmd (Access Broker and Resource Manager Daemon) support by default, preferring the kernel resource manager. Use `tpm2-pkcs11.abrmd` if you would like a version with abrmd support. Note that the NixOS module picks the correct one automatically based on `security.tpm2.abrmd`. + - `zig_0_9` and `zig_0_10` have been removed, you should upgrade to `zig_0_13` (also available as just `zig`), `zig_0_12` or `zig_0_11` instead. - `webpack-cli` was updated to major version 6, which has breaking changes from the previous version 5.1.4. See the [upstream release notes](https://github.com/webpack/webpack-cli/releases/tag/webpack-cli%406.0.0) for details on these changes.