search

tpm2-software / tpm2-tss

OSS implementation of the TCG TPM2 Software Stack (TSS2)
https://tpm2-software.github.io
BSD 2-Clause "Simplified" License
749 stars 365 forks source link

On “pkg-config --static --libs tss2-esys” #1398

Closed dilyanpalauzov closed 5 years ago

dilyanpalauzov commented 5 years ago

When a program is dynamically linked with libtss2-esys, during the linking the output of pkg-config --libs tss2-esys shall be considered. It returns currently -L/usr/local/lib -ltss2-esys -ltss2-sys -ltss2-mu.

When a program is statically linked wit libtss2-esys, during the linking the output of pkc-config --libs --static tss2-esys shall be considered. It returns currently -L/usr/local/lib -ltss2-esys -ltss2-sys -ltss2-mu. Missing are -lssl/-lgcrypt/-lcrypt.

To my understanding, pkg-config --libs tss2-esys should just return what is necessary to link, in order to use the program. If the implementation of libtss2-esys.so changes later, so that it does not depend on libtss2-mu, programs linked wit libtss2-esys should not be recompiled, in order to stop loading libtss2-mu (which is added as DT_NEEDED).

Unfortunately, the way libtool is currently implemented, is to write in the libtss2-esys.la file -ldl -L/usr/local/lib64 -lssl -lcrypto /usr/local/lib/libtss2-sys.la /usr/local/lib/libtss2-tcti-device.la /u sr/local/lib/libtss2-tcti-mssim.la /usr/local/lib/libtss2-mu.la and when libtool links with -ltss2-esys, to add libcrypto to DT_NEEDED of the resulting binary. The implication is, that once esys is compiled with OpenSSL and a program links with tss2-esys, the program will get explicit DT_NEEDED for libssl . If libtss2-esys is then recompiled to use gcrypt, when the program is loaded, it will load both libssl (because it is in the DT_NEEDED of the program) and libgcrypt (because it is in the DT_NEEDED of libtss2-esys). The program should just list the libraries as DT_NEEDED it directly depends on.

Ignoring libtool, pkg-config --libs tss2-esys shall return -Llibdir -ltss2-esys and pkg-config --libs --static tss2-esys shall return -L/usr/local/lib -ltss2-esys -ltss2-sys -ltss2-mu and whatever crypto library is used.

To utilize the --static, pkg-config foresees Libs.private and Requires.private.

I do not think, that libtss2-esys needs to mention -ltss2-sys and libtss2-mu in Requires.private, but in Libs.private. The former is evaluated during ./configure with PKG_CHECK_MODULES. But since libtss2-esys and libtss2-sys live together, libtss2-esys can always asume that libtss2-sys and libtss2-mu are installed. So the latter shall go to Libs.private.

AndreasFuchsTPM commented 5 years ago

this is a duplicate of #1174

diabonas commented 5 years ago

I agree that the required libraries for the cryptographic backend should be in Libs.private and that libtss2-mu should not be a public dependency. However I think Requires.private would be a better place for libtss2-mu than Libs.private because Requires.private allows recursive dependency resolution: if libtss2-mu depends on further libraries, they will be pulled from the pkg-config file and included in pkg-config --libs --static tss2-esys, this wouldn't happen for Libs.private. This seems to be in line with the pkg-config guidelines:

In addition, Libs and Libs.private contain link flags for other libraries not supported by pkg-config.

I have opened #1417 to get the dependencies sorted out and would love to hear your feedback on this proposal.

dilyanpalauzov commented 5 years ago

After reviewing the changes towards tpm2-tss, I have no concerns with them.