new file mode 100644
@@ -0,0 +1,48 @@
+From af8b26e7ffe69837197fb841e9a31230ae01c9cc Mon Sep 17 00:00:00 2001
+From: Andreas Fuchs <andreas.fuchs@infineon.com>
+Date: Mon, 22 May 2023 14:06:41 +0200
+Subject: [PATCH 1/2] Configure: Allow disabling of digest-sign operations
+
+Since the digest-sign operations perform the hash on the TPM and
+TPMs in general do not support SHA512, this can lead to errors.
+Depending on the use case, it might be preferable to not support
+restricted keys (via digest+sign) but to rely on ordinary keys
+only.
+
+Upstream-Status: Backport
+Signed-off-by: Andreas Fuchs <andreas.fuchs@infineon.com>
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+---
+ configure.ac | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index d4a9356..b379042 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -116,13 +116,19 @@ PKG_CHECK_MODULES([CRYPTO], [libcrypto >= 1.0.2g],
+ PKG_CHECK_MODULES([TSS2_ESYS], [tss2-esys >= 2.3])
+ PKG_CHECK_MODULES([TSS2_MU], [tss2-mu])
+ PKG_CHECK_MODULES([TSS2_TCTILDR], [tss2-tctildr])
++
+ AC_CHECK_LIB([crypto], EC_KEY_METHOD_set_compute_key,
+ [AM_CONDITIONAL([HAVE_OPENSSL_ECDH], true)],
+ [AM_CONDITIONAL([HAVE_OPENSSL_ECDH], false)])
++
++AC_ARG_ENABLE([digestsign],
++ [AS_HELP_STRING([--disable-digestsign],
++ [Disable support for digest and sign methods, helps with TPM unsupported hash algorithms.])],,
++ [enable_digestsign=yes])
+ AC_CHECK_LIB([crypto], EVP_PKEY_meth_set_digest_custom,
+- [AM_CONDITIONAL([HAVE_OPENSSL_DIGEST_SIGN], true)],
++ [AM_CONDITIONAL([HAVE_OPENSSL_DIGEST_SIGN], [test "x$enable_digestsign" != "xno"])],
+ [AM_CONDITIONAL([HAVE_OPENSSL_DIGEST_SIGN], false)])
+-AS_IF([test "x$ac_cv_lib_crypto_EVP_PKEY_meth_set_digest_custom" = xyes],
++AS_IF([test "x$ac_cv_lib_crypto_EVP_PKEY_meth_set_digest_custom" = xyes && test "x$enable_digestsign" = "xyes"],
+ [AC_DEFINE([HAVE_OPENSSL_DIGEST_SIGN], [1],
+ Have required functionality from OpenSSL to support digest and sign)])
+
+--
+2.43.0
+
new file mode 100644
@@ -0,0 +1,78 @@
+From 766505bf5c943c614fd246d27d1e5cd66543250b Mon Sep 17 00:00:00 2001
+From: Matthias Gerstner <matthias.gerstner@suse.de>
+Date: Mon, 6 May 2024 16:07:54 +0200
+Subject: [PATCH 2/2] Fix mismatch of OpenSSL function signatures that cause
+ errors with gcc-14
+
+Building with gcc-14 fails with diagnostics like this:
+
+```
+src/tpm2-tss-engine-rsa.c:805:46: error: passing argument 2 of 'EVP_PKEY_meth_set_copy' from incompatible pointer type [-Wincompatible-pointer-types]
+ 805 | EVP_PKEY_meth_set_copy(pkey_rsa_methods, rsa_pkey_copy);
+ | ^~~~~~~~~~~~~
+ | |
+ | int (*)(EVP_PKEY_CTX *, EVP_PKEY_CTX *) {aka int (*)(struct evp_pkey_ctx_st *, struct evp_pkey_ctx_st *)}
+/usr/include/openssl/evp.h:2005:36: note: expected 'int (*)(EVP_PKEY_CTX *, const EVP_PKEY_CTX *)' {aka 'int (*)(struct evp_pkey_ctx_st *, const struct evp_pkey_ctx_st *)'} but argument is of type 'int (*)(EVP_PKEY_CTX *, EVP_PKEY_CTX *)' {aka 'int (*)(struct evp_pkey_ctx_st *, struct evp_pkey_ctx_st *)'}
+```
+
+A look into OpenSSL upstream shows that these functions have always had const
+`src` parameters. Thus this error was simply not detected by earlier compiler
+versions.
+
+Upstream-Status: Backport
+
+Signed-off-by: Matthias Gerstner <matthias.gerstner@suse.de>
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+---
+ src/tpm2-tss-engine-ecc.c | 4 ++--
+ src/tpm2-tss-engine-rsa.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/tpm2-tss-engine-ecc.c b/src/tpm2-tss-engine-ecc.c
+index 9e72c85..f6b9c5a 100644
+--- a/src/tpm2-tss-engine-ecc.c
++++ b/src/tpm2-tss-engine-ecc.c
+@@ -52,7 +52,7 @@ EC_KEY_METHOD *ecc_methods = NULL;
+ #endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
+
+ #ifdef HAVE_OPENSSL_DIGEST_SIGN
+-static int (*ecdsa_pkey_orig_copy)(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src);
++static int (*ecdsa_pkey_orig_copy)(EVP_PKEY_CTX *dst, const EVP_PKEY_CTX *src);
+ static void (*ecdsa_pkey_orig_cleanup)(EVP_PKEY_CTX *ctx);
+ #endif /* HAVE_OPENSSL_DIGEST_SIGN */
+
+@@ -405,7 +405,7 @@ ecdsa_ec_key_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
+
+ #ifdef HAVE_OPENSSL_DIGEST_SIGN
+ static int
+-ecdsa_pkey_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src)
++ecdsa_pkey_copy(EVP_PKEY_CTX *dst, const EVP_PKEY_CTX *src)
+ {
+ if (ecdsa_pkey_orig_copy && !ecdsa_pkey_orig_copy(dst, src))
+ return 0;
+diff --git a/src/tpm2-tss-engine-rsa.c b/src/tpm2-tss-engine-rsa.c
+index 41de34e..e7260c2 100644
+--- a/src/tpm2-tss-engine-rsa.c
++++ b/src/tpm2-tss-engine-rsa.c
+@@ -49,7 +49,7 @@ RSA_METHOD *rsa_methods = NULL;
+ #endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
+
+ #ifdef HAVE_OPENSSL_DIGEST_SIGN
+-static int (*rsa_pkey_orig_copy)(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src);
++static int (*rsa_pkey_orig_copy)(EVP_PKEY_CTX *dst, const EVP_PKEY_CTX *src);
+ static void (*rsa_pkey_orig_cleanup)(EVP_PKEY_CTX *ctx);
+ #endif /* HAVE_OPENSSL_DIGEST_SIGN */
+
+@@ -637,7 +637,7 @@ RSA_METHOD rsa_methods = {
+
+ #ifdef HAVE_OPENSSL_DIGEST_SIGN
+ static int
+-rsa_pkey_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src)
++rsa_pkey_copy(EVP_PKEY_CTX *dst, const EVP_PKEY_CTX *src)
+ {
+ if (rsa_pkey_orig_copy && !rsa_pkey_orig_copy(dst, src))
+ return 0;
+--
+2.43.0
+
similarity index 83%
rename from meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.1.0.bb
rename to meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.2.0.bb
@@ -8,9 +8,12 @@ SECTION = "security/tpm"
DEPENDS = "autoconf-archive-native bash-completion libtss2 libgcrypt openssl"
-SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/v${PV}/${BPN}-${PV}.tar.gz"
+SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz \
+ file://0001-Configure-Allow-disabling-of-digest-sign-operations.patch \
+ file://0002-Fix-mismatch-of-OpenSSL-function-signatures-that-cau.patch \
+ "
-SRC_URI[sha256sum] = "ea2941695ac221d23a7f3e1321140e75b1495ae6ade876f2f4c2ed807c65e2a5"
+SRC_URI[sha256sum] = "3c94fef110dd3630b3c28c5875febba76b7d5ba2fcc04a14c4a30f5d2157c265"
UPSTREAM_CHECK_URI = "https://github.com/tpm2-software/${BPN}/releases"
Signed-off-by: Armin Kuster <akuster808@gmail.com> --- ...-disabling-of-digest-sign-operations.patch | 48 ++++++++++++ ...OpenSSL-function-signatures-that-cau.patch | 78 +++++++++++++++++++ ...gine_1.1.0.bb => tpm2-tss-engine_1.2.0.bb} | 7 +- 3 files changed, 131 insertions(+), 2 deletions(-) create mode 100644 meta-tpm/recipes-tpm2/tpm2-tss-engine/files/0001-Configure-Allow-disabling-of-digest-sign-operations.patch create mode 100644 meta-tpm/recipes-tpm2/tpm2-tss-engine/files/0002-Fix-mismatch-of-OpenSSL-function-signatures-that-cau.patch rename meta-tpm/recipes-tpm2/tpm2-tss-engine/{tpm2-tss-engine_1.1.0.bb => tpm2-tss-engine_1.2.0.bb} (83%)