From 73ac07a127d91a7fedd23cc508fe59c5a935dbe2 Mon Sep 17 00:00:00 2001
From: Yurii Matsiuk <ymatsiuk@users.noreply.github.com>
Date: Wed, 29 Sep 2021 11:15:35 +0200
Subject: [PATCH 1/2] systemd: add missing TPM2 build dependencies

---
 pkgs/os-specific/linux/systemd/default.nix | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/pkgs/os-specific/linux/systemd/default.nix b/pkgs/os-specific/linux/systemd/default.nix
index e0a4128b0cdc..81e6818b3ccc 100644
--- a/pkgs/os-specific/linux/systemd/default.nix
+++ b/pkgs/os-specific/linux/systemd/default.nix
@@ -251,6 +251,7 @@ stdenv.mkDerivation {
           { name = "libtss2-esys.so.0"; pkg = opt withTpm2Tss tpm2-tss; }
           { name = "libtss2-rc.so.0"; pkg = opt withTpm2Tss tpm2-tss; }
           { name = "libtss2-mu.so.0"; pkg = opt withTpm2Tss tpm2-tss; }
+          { name = "libtss2-tcti-"; pkg = opt withTpm2Tss tpm2-tss; }
           { name = "libfido2.so.1"; pkg = opt withFido2 libfido2; }
         ];
 
@@ -267,8 +268,12 @@ stdenv.mkDerivation {
         '' else ''
           # ensure that the library we provide actually exists
           if ! [ -e ${library} ]; then
-            echo 'The shared library `${library}` does not exist but was given as subtitute for `${dl.name}`'
-            exit 1
+            # exceptional case, details:
+            # https://github.com/systemd/systemd-stable/blob/v249-stable/src/shared/tpm2-util.c#L157
+            if ! [[ "${library}" =~ .*libtss2-tcti-$ ]]; then
+              echo 'The shared library `${library}` does not exist but was given as subtitute for `${dl.name}`'
+              exit 1
+            fi
           fi
           # make the path to the dependency explicit
           for file in $(grep -lr '"${dl.name}"' src); do
@@ -353,6 +358,7 @@ stdenv.mkDerivation {
     ++ lib.optionals withHomed [ p11-kit ]
     ++ lib.optionals (withHomed || withCryptsetup) [ libfido2 ]
     ++ lib.optionals withLibBPF [ libbpf ]
+    ++ lib.optional withTpm2Tss tpm2-tss
   ;
 
   #dontAddPrefix = true;
@@ -452,7 +458,7 @@ stdenv.mkDerivation {
     "-Dnss-systemd=false"
   ] ++ lib.optionals withLibBPF [
     "-Dbpf-framework=true"
-  ];
+  ] ++ lib.optional withTpm2Tss "-Dtpm2=true";
 
   preConfigure = ''
     mesonFlagsArray+=(-Dntp-servers="0.nixos.pool.ntp.org 1.nixos.pool.ntp.org 2.nixos.pool.ntp.org 3.nixos.pool.ntp.org")

From e8fe1c9efeda44fa7241ec6cd4ffd72522c30132 Mon Sep 17 00:00:00 2001
From: Yurii Matsiuk <ymatsiuk@users.noreply.github.com>
Date: Mon, 4 Oct 2021 12:54:13 +0200
Subject: [PATCH 2/2] nixos/tests/systemd-cryptenroll: add basic TPM2 test

---
 nixos/tests/all-tests.nix           |  1 +
 nixos/tests/systemd-cryptenroll.nix | 55 +++++++++++++++++++++++++++++
 2 files changed, 56 insertions(+)
 create mode 100644 nixos/tests/systemd-cryptenroll.nix

diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
index 0328727cc39c..c5ce32cf0f74 100644
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -429,6 +429,7 @@ in
   systemd-binfmt = handleTestOn ["x86_64-linux"] ./systemd-binfmt.nix {};
   systemd-boot = handleTest ./systemd-boot.nix {};
   systemd-confinement = handleTest ./systemd-confinement.nix {};
+  systemd-cryptenroll = handleTest ./systemd-cryptenroll.nix {};
   systemd-journal = handleTest ./systemd-journal.nix {};
   systemd-networkd = handleTest ./systemd-networkd.nix {};
   systemd-networkd-dhcpserver = handleTest ./systemd-networkd-dhcpserver.nix {};
diff --git a/nixos/tests/systemd-cryptenroll.nix b/nixos/tests/systemd-cryptenroll.nix
new file mode 100644
index 000000000000..2c436f2de890
--- /dev/null
+++ b/nixos/tests/systemd-cryptenroll.nix
@@ -0,0 +1,55 @@
+import ./make-test-python.nix ({ pkgs, ... }: {
+  name = "systemd-cryptenroll";
+  meta = with pkgs.lib.maintainers; {
+    maintainers = [ ymatsiuk ];
+  };
+
+  machine = { pkgs, lib, ... }: {
+    environment.systemPackages = [ pkgs.cryptsetup ];
+    virtualisation = {
+      emptyDiskImages = [ 512 ];
+      memorySize = 1024;
+      qemu.options = [
+        "-chardev socket,id=chrtpm,path=/tmp/swtpm-sock"
+        "-tpmdev emulator,id=tpm0,chardev=chrtpm"
+        "-device tpm-tis,tpmdev=tpm0"
+      ];
+    };
+  };
+
+  testScript = ''
+    import subprocess
+    import tempfile
+
+    def start_swtpm(tpmstate):
+        subprocess.Popen(["${pkgs.swtpm}/bin/swtpm", "socket", "--tpmstate", "dir="+tpmstate, "--ctrl", "type=unixio,path=/tmp/swtpm-sock", "--log", "level=0", "--tpm2"])
+
+    with tempfile.TemporaryDirectory() as tpmstate:
+        start_swtpm(tpmstate)
+        machine.start()
+
+        # Verify the TPM device is available and accessible by systemd-cryptenroll
+        machine.succeed("test -e /dev/tpm0")
+        machine.succeed("test -e /dev/tpmrm0")
+        machine.succeed("systemd-cryptenroll --tpm2-device=list")
+
+        # Create LUKS partition
+        machine.succeed("echo -n lukspass | cryptsetup luksFormat -q /dev/vdb -")
+        # Enroll new LUKS key and bind it to Secure Boot state
+        # For more details on PASSWORD variable, check the following issue:
+        # https://github.com/systemd/systemd/issues/20955
+        machine.succeed("PASSWORD=lukspass systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 /dev/vdb")
+        # Add LUKS partition to /etc/crypttab to test auto unlock
+        machine.succeed("echo 'luks /dev/vdb - tpm2-device=auto' >> /etc/crypttab")
+        machine.shutdown()
+
+        start_swtpm(tpmstate)
+        machine.start()
+
+        # Test LUKS partition automatic unlock on boot
+        machine.wait_for_unit("systemd-cryptsetup@luks.service")
+        # Wipe TPM2 slot
+        machine.succeed("systemd-cryptenroll --wipe-slot=tpm2 /dev/vdb")
+  '';
+})
+