[antlir][vm] make swtpm dependency fully static

Summary: - the last dynamic dependency for swtpm was on libcrypto.so.1.1 - remove this by compiling openssl from source; this previously used a platform derived .so but that breaks on centos9 since the version is different - swtpm binary is now fully static Test Plan: - build and show it's statically compiled ``` > buck2 build -c antlir.rc_targets=//antlir/vm/runtime/facebook:qemu-tools //antlir/vm/runtime:swtpm --show-full-output Buck UI: https://www.internalfb.com/buck2/2ab02348-1fd1-469f-843c-fc38589328b0 BUILD SUCCEEDED fbcode//antlir/vm/runtime:swtpm /data/users/aeh/fbsource/buck-out/v2/gen/fbcode/513e0f216bd9b87a/antlir/vm/runtime/__swtpm__/out/swtpm > ls -lh /data/users/aeh/fbsource/buck-out/v2/gen/fbcode/513e0f216bd9b87a/antlir/vm/runtime/__swtpm__/out/swtpm -rwxr-xr-x 1 aeh users 4.4M Jul 11 16:49 /data/users/aeh/fbsource/buck-out/v2/gen/fbcode/513e0f216bd9b87a/antlir/vm/runtime/__swtpm__/out/swtpm > ldd /data/users/aeh/fbsource/buck-out/v2/gen/fbcode/513e0f216bd9b87a/antlir/vm/runtime/__swtpm__/out/swtpm not a dynamic executable > /data/users/aeh/fbsource/buck-out/v2/gen/fbcode/513e0f216bd9b87a/antlir/vm/runtime/__swtpm__/out/swtpm --help TPM emulator with choice of interface. [...] ``` Reviewed By: vjt Differential Revision: D47386310 fbshipit-source-id: 5c46a33f95f00917bce088ba2d361ca053387349
facebookincubator · Jul 14, 2023 · 29d0fe8 · 29d0fe8
1 parent 9615692
commit 29d0fe8
Show file tree

Hide file tree

Showing 5 changed files with 82 additions and 34 deletions.
diff --git a/antlir/bzl/third_party.bzl b/antlir/bzl/third_party.bzl
@@ -17,25 +17,9 @@ SRC_DIR = paths.join(PREFIX, "src")
 DEPS_DIR = paths.join(PREFIX, "deps")
 OUTPUT_DIR = "/output"
 
-def _cmd_prepare_dependency(dependency):
-    """ Provide the .pc file for the dep in the right place. """
-    return "\n".join([
-        "cp -a {deps}/{name}/{path}/pkgconfig/*.pc {deps}/pkgconfig/".format(
-            deps = DEPS_DIR,
-            name = dependency.name,
-            path = path,
-        )
-        for path in dependency.paths
-    ])
-
 def _build(name, features, script, src, deps = None, **kwargs):
     deps = deps or []
 
-    prepare_deps = "\n".join([
-        _cmd_prepare_dependency(dep)
-        for dep in deps
-    ])
-
     OUTPUT_DIR = paths.join(DEPS_DIR, name)
 
     buck_genrule(
@@ -48,10 +32,6 @@ cat > $TMP/out << 'EOF'
 set -ue
 set -o pipefail
 
-# copy all specified dependencies
-mkdir -p "{deps_dir}/pkgconfig"
-{prepare_deps}
-
 # unpack the source in build dir
 cd "{src_dir}"
 tar xzf {src} --strip-components=1
@@ -62,7 +42,7 @@ for p in \\$(ls -A {patches_dir}); do
 done
 
 export OUTPUT="{output_dir}/"
-export PKG_CONFIG_PATH="{deps_dir}/pkgconfig"
+export PKG_CONFIG_PATH="\\$(find {deps_dir} -type d -name pkgconfig | paste -sd ':')"
 export MAKEFLAGS=-j
 
 {prepare}
@@ -73,7 +53,6 @@ mv $TMP/out $OUT
 chmod +x $OUT
         """).format(
             src = SRC_TGZ,
-            prepare_deps = prepare_deps,
             prepare = script.prepare if script.prepare else "",
             build = script.build,
             install = script.install,

diff --git a/antlir/third-party/swtpm/00_configure b/antlir/third-party/swtpm/00_configure
@@ -0,0 +1,14 @@
+# since we're trying to build a static swtpm, the check for libtpms version needs
+# to use the static libcrypto.a otherwise compile fails and configure will complain
+# that the version is wrong
+--- configure.ac        2023-07-11 15:46:24.557440526 -0700
++++ configure.ac        2023-07-11 15:47:14.603685386 -0700
+@@ -172,7 +172,8 @@
+ CFLAGS="$CFLAGS $LIBTPMS_CFLAGS"
+ AC_CHECK_LIB(tpms,
+              TPMLIB_ChooseTPMVersion,[true],
+-             AC_MSG_ERROR("libtpms 0.6 or later is required")
++             AC_MSG_ERROR("libtpms 0.6 or later is required"),
++             -lcrypto
+ )
+ AC_SUBST([LIBTPMS_LIBS])
diff --git a/third-party/antlir/libcrypto/BUCK b/third-party/antlir/libcrypto/BUCK
@@ -0,0 +1,39 @@
+# Copyright (c) Meta Platforms, Inc. and affiliates.
+#
+# This source code is licensed under the MIT license found in the
+# LICENSE file in the root directory of this source tree.
+
+load("//antlir/bzl:third_party.bzl", "third_party")
+load("//antlir/bzl/image/feature:defs.bzl", "feature")
+
+oncall("twimage")
+
+third_party.build(
+    name = "libcrypto",
+    src = third_party.source("openssl_1.1.1k"),
+    features = [
+        feature.rpms_install([
+            # build deps
+            "gcc",
+            "autoconf",
+            "autoconf-archive",
+            "libtool",
+            "make",
+        ]),
+    ],
+    script = third_party.script(
+        build = "make",
+        install = "make install",
+        prepare = """
+export CFLAGS="-fPIC -fno-omit-frame-pointer"
+
+./config --prefix="${OUTPUT}" \
+    enable-camellia enable-seed enable-rfc3779 enable-cms enable-md2 \
+    no-mdc2 no-ec2m no-sm2 no-sm4 \
+    no-zlib \
+    no-rc5 no-ec2m no-gost no-sm3 no-idea no-whirlpool \
+    no-shared
+        """,
+    ),
+    visibility = ["//antlir/third-party/..."],
+)
diff --git a/third-party/antlir/libtpms/BUCK b/third-party/antlir/libtpms/BUCK
@@ -24,7 +24,6 @@ third_party.build(
             "tpm-tools",
             "expect",
             "socat",
-            "openssl-devel",
             # static deps
             "glibc-static",
             "glib2-static",
@@ -35,7 +34,8 @@ third_party.build(
         build = "make",
         install = "make install",
         prepare = """
-export CFLAGS="-fPIC"
+export CFLAGS="-fPIC -I/third-party-build/deps/libcrypto/include"
+export LDFLAGS="-L/third-party-build/deps/libcrypto/lib"
 
 # need to fix a global symbol otherwise it collides
 # later on due to static linkage
@@ -45,4 +45,7 @@ sed -i 's/char state_directory/static char state_directory/' ./src/tpm12/tpm_nvf
         """,
     ),
     visibility = ["//antlir/third-party/..."],
+    deps = [
+        third_party.library("libcrypto"),
+    ],
 )
diff --git a/third-party/antlir/swtpm/BUCK b/third-party/antlir/swtpm/BUCK
@@ -1,5 +1,6 @@
 # (c) Meta Platforms, Inc. and affiliates. Confidential and proprietary.
 
+load("@fbcode_macros//build_defs:export_files.bzl", "export_files")
 load("//antlir/bzl:third_party.bzl", "third_party")
 load("//antlir/bzl/image/feature:defs.bzl", "feature")
 
@@ -10,6 +11,8 @@ load("//antlir/bzl/image/feature:defs.bzl", "feature")
 
 oncall("twimage")
 
+export_files(files = ["00_configure"])
+
 third_party.build(
     name = "swtpm",
     src = third_party.source("swtpm"),
@@ -28,32 +31,41 @@ third_party.build(
             "expect",
             "socat",
             "python38",
-            "openssl-devel",
+            "libtasn1-devel",  # required but not for swtpm binary (ok with shared here)
+
             # static deps
             "glibc-static",
             "glib2-static",
             "pcre-static",
-            "libtasn1-devel",  # required but seemingly unused (ok with shared here)
         ]),
     ],
     script = third_party.script(
         build = """
+cd src/swtpm
 # swtpm doesnt support static linkage by itself, so convince it
-make LDFLAGS="${LDFLAGS} -all-static"
+make LDFLAGS="${LDFLAGS} -all-static" LIBS="-ldl"
         """,
         install = """
+strip swtpm
 make install
-
-# swtpm creates a root only folder to keep CA files, and it's not copyable
-# from outside the container, since we don't need it, delete
-rm -rf "${OUTPUT}/var"
         """,
+        patches = [":00_configure"],
         # TODO: Dynamically build the LDFLAGS + CLFAGS env vars based on the provided deps
         prepare = """
-export CFLAGS="-B/opt/rh/gcc-toolset-9/root/bin -I/third-party-build/deps/libffi/include -I/third-party-build/deps/json-glib/include/json-glib-1.0 -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -I/third-party-build/deps/libtpms/include"
-export LDFLAGS="-L/third-party-build/deps/libtpms/lib -L/third-party-build/deps/libffi/lib/../lib64 -L/third-party-build/deps/json-glib/lib64 -lcrypto -ldl -lpthread"
+export CFLAGS="-B/opt/rh/gcc-toolset-9/root/bin \
+    -I/third-party-build/deps/libffi/include \
+    -I/third-party-build/deps/json-glib/include/json-glib-1.0 \
+    -I/third-party-build/deps/libcrypto/include \
+    -I/usr/include/glib-2.0 \
+    -I/usr/lib64/glib-2.0/include \
+    -I/third-party-build/deps/libtpms/include"
+export LDFLAGS="-L/third-party-build/deps/libtpms/lib \
+    -L/third-party-build/deps/libffi/lib/../lib64 \
+    -L/third-party-build/deps/json-glib/lib64 \
+    -L/third-party-build/deps/libcrypto/lib \
+    -ldl -lpthread"
 
-./autogen.sh --prefix="${OUTPUT}" --with-openssl --without-gnutls --without-selinux --without-cuse --without-seccomp 
+./autogen.sh --prefix="${OUTPUT}" --with-openssl --without-gnutls --without-selinux --without-cuse --without-seccomp
         """,
     ),
     visibility = ["//antlir/vm/..."],
@@ -66,5 +78,6 @@ export LDFLAGS="-L/third-party-build/deps/libtpms/lib -L/third-party-build/deps/
             lib_path = "lib64",
         ),
         third_party.library("libtpms"),
+        third_party.library("libcrypto"),
     ],
 )