tpm2-tss: 4.0.1 -> 4.1.0

[baloo]

Description of changes

Because upstream rewrote the loader for TCTI, the order for loading backend got shuffled. This explains the noise in the patch.

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 24.05 Release Notes (or backporting 23.05 and 23.11 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[baloo]

This breaks tpm2-pytss for some reason

[LeSuisse]

Includes the fix for CVE-2024-29040 (not yet disclosed?).

Would it make sense to first upgrade to 4.0.2 as it only seems to contain fixes and then work on the upgrade to 4.1.0 which does not seem to smooth?
We will probably need 4.0.2 for the 23.11 branch anyway.

[baloo]

Bad rebase, sorry for the noise everyone.

[SuperSandro2000]

LGTM

[SuperSandro2000]

For next time:

---

This PR rebuilds a lot of packages which means we must target staging. Please follow the contributing guide to not potentially ping a lot of people.

[nbraud]

Looks good, assuming tests pass

[nbraud]

@ofborg test systemd-credentials-tpm2 systemd-initrd-luks-tpm2

[vcunat]

This breaks tpm2-pytss for some reason

So overall this PR looks like a "breaking change"? Note that the 24.05 schedule doesn't allow to merge such changes currently (in general): #303285 (comment)

[nbraud]

So overall this PR looks like a "breaking change"? Note that the 24.05 schedule doesn't allow to merge such changes currently (in general): #303285 (comment)

The necessary patch to tpm-pytss is included, so this shouldn't break any builds; furthermore, I am currently checking that tpm-pytss build properly (which involves rebuilding most of everything anyhow)

I'd consider it a tpm-pytss bug (that is exposed by the update) rather than a breaking change in tpm2-tss, given that what broke tpm-pytss isn't anything like an API or ABI change, but tpm-pytss processing some header files with regexps for some reason (I didn't look into why, and I honestly don't want to know)
Otherwise, even reformating headers would be a potential breaking change to a library.

[nbraud]

Confirmed, tpm-pytss builds fine with the patch, now running a full nixpkgs-review. Hopefully my workstation won't run out of space in the process. (Update: it did 😭 )

[baloo]

tpm2-pytss will run pycparser at build time to read headers from tpm2-tss.
Since I'm a maintainer of both packages, it would be a bit silly for me to introduce the breaking change in tpm2-tss.

This PR pulls a patch made by maintainers of tpm2-pytss that fixes the parsing of headers. This is not upstream yet.
see tpm2-software/tpm2-pytss#571

I've run all the nixos-tests I could find and all dependencies (but I did that in a rebase on master because I did not have the CPU available to run those on staging).

[vcunat]

I'll trust you that it's safe enough. If it's for NixOS 24.05, better now than later. Upstream changelog doesn't sound scary either.