Force signed char since we have =-1 (fixes FTBFS on char=uchar)

Equivalent calling convention, produces identical initrd

Fixes: https://todo.sr.ht/~nabijaczleweli/tzpfms/3

.build.yml

@@ -35,7 +35,7 @@ tasks:
       sudo sh -c 'curl https://git.sr.ht/~nabijaczleweli/groff-1.23-unfucking/blob/trunk/mdoc.local >> /etc/groff/mdoc.local'
       git -C tzpfms/ worktree add ../tzpfms-man man
       cd tzpfms-man
-      git ls-tree -z --name-only HEAD | xargs -0 rm -r
+      git ls-tree -z --name-only HEAD | grep -z tpm | xargs -0 rm -r
       cp -pr ../tzpfms/out/man/* .
       sed -e 's/…/.../g' $(ls *.[12345678] | awk -F. '{print $2 "\t" $1}' | sort | awk -F'\t' '{print $2 "." $1}') | groff -K utf8 -tpe -mdoc -Tps -dpaper=a4 -P-pa4 > tzpfms.ps
       ps2pdf -sPAPERSIZE=a4 tzpfms.ps tzpfms.pdf

README.md

@@ -3,7 +3,7 @@ TPM-based encryption keys for ZFS datasets.
 
 See also [fzifdso](//git.sr.ht/~nabijaczleweli/fzifdso) for FIDO2/WebAuthn-based (YubiKey, Somu, &c.) keys.
 
-## [Manpages](//srhtcdn.githack.com/~nabijaczleweli/tzpfms/blob/man/zfs-tpm-list.8.html) ([PDF](//srhtcdn.githack.com/~nabijaczleweli/tzpfms/blob/man/tzpfms.pdf))
+## [Manpages](//ra.ws.co.ls/~nabijaczleweli/tzpfms/blob/man/zfs-tpm-list.8.html) ([PDF](//ra.ws.co.ls/~nabijaczleweli/tzpfms/blob/man/tzpfms.pdf))
 
 ### Why?
 
@@ -41,7 +41,7 @@ As an example, for a sensible default value of `exec systemd-ask-password --id="
 ### Installation
 
 Copy the `out/zfs-tpm*` binaries corresponding to the back-ends you want to `/sbin`,
-continue as the [manual](//srhtcdn.githack.com/~nabijaczleweli/tzpfms/blob/man/zfs-tpm2-change-key.8.html) [page](//srhtcdn.githack.com/~nabijaczleweli/tzpfms/blob/man/zfs-tpm1x-change-key.8.html) instructs.
+continue as the [manual](//ra.ws.co.ls/~nabijaczleweli/tzpfms/blob/man/zfs-tpm2-change-key.8.html) [page](//ra.ws.co.ls/~nabijaczleweli/tzpfms/blob/man/zfs-tpm1x-change-key.8.html) instructs.
 
 For initrd support, copy the content of either `out/dracut/` or `out/initramfs-tools/` over `/`;
 these need `zfs-tpm-list` but will work with any combination of back-end `*-load-key` binaries

initrd/dracut/module-setup.sh

@@ -25,20 +25,19 @@ _get_backend() {
 
 _install_tpm2() {
 	inst_binary zfs-tpm2-load-key
-	# shellcheck disable=SC2046
-	inst_library $(find /usr/lib -name 'libtss2-tcti*.so*')  # TODO: there's got to be a better way™!
+	inst_libdir_file 'libtss2-tcti*.so*'
 	command -v tpm2_dictionarylockout > /dev/null && inst_binary tpm2_dictionarylockout
 }
 
 _install_tpm1x() {
 	inst_binary zfs-tpm1x-load-key
-	INSTALL_TPM1X{inst_binary tcsd; inst_binary ip; inst_binary ss, initdir, inst_simple, inst_simple, inst_simple, inst_library}
+	INSTALL_TPM1X{inst_binary tcsd; inst_binary ip; inst_binary ss, initdir, inst_simple, inst_simple, inst_simple, inst_libdir_file}
 	command -v tpm_resetdalock > /dev/null && inst_binary tpm_resetdalock
 }
 
 
 check() {
-	command -v zfs-tpm-list > /dev/null || return 1
+	require_binaries zfs-tpm-list || return
 
 	# shellcheck disable=SC2154
 	if [ -n "$hostonly" ]; then

src/bin/zfs-tpm-list.cpp

@@ -12,7 +12,7 @@
 #define TZPFMS_BACKEND_MAX_LEN 16
 
 
-enum class key_loadedness : char {
+enum class key_loadedness : signed char {
 	none     = -1,
 	unloaded = 0,
 	loaded   = 1,

src/bin/zfs-tpm1x-clear-key.cpp

@@ -8,6 +8,5 @@
 
 
 int main(int argc, char ** argv) {
-	return do_clear_main(
-	    argc, argv, THIS_BACKEND, [](auto, auto) { return 0; }, [] { return 0; });
+	return do_clear_main(argc, argv, THIS_BACKEND, [](auto, auto) { return 0; }, [] { return 0; });
 }

src/fd.cpp

@@ -133,7 +133,7 @@ static int get_key_material_raw(const char * whom, bool again, bool newkey, uint
 	if(from_tty) {
 		// Handle SIGINT and ignore SIGSTP.
 		// This is necessary to restore the state of the terminal.
-		struct sigaction act {};
+		struct sigaction act{};
 		sigemptyset(&act.sa_mask);
 
 		caught_interrupt = 0;

src/main.hpp

@@ -64,8 +64,7 @@ static int do_bare_main(
 }
 
 template <class G, class M, class V = int (*)()>
-static int do_main(
-    int argc, char ** argv, const char * getoptions, const char * usage, G && getoptfn, M && main, V && validate = [] { return 0; }) {
+static int do_main(int argc, char ** argv, const char * getoptions, const char * usage, G && getoptfn, M && main, V && validate = [] { return 0; }) {
 	return do_bare_main(
 	    // as-in argument in a usage string
 	    argc, argv, getoptions, usage, gettext_noop("dataset"), getoptfn,

src/tpm1x.hpp

@@ -9,6 +9,7 @@
 #include "main.hpp"
 
 #include <stdlib.h>
+#include <sys/mman.h>
 
 #include <tss/platform.h>
 #include <tss/tspi.h>
@@ -29,6 +30,8 @@ static const constexpr uint8_t parent_key_secret[TPM_SHA1_160_HASH_LEN]{0xCE, 0x
 
 template <class F>
 int with_tpm1x_session(F && func) {
+	mlockall(MCL_CURRENT | MCL_FUTURE);
+
 	TSS_HCONTEXT ctx{};  // All memory lives as long as this does
 	TRY_TPM1X("create TPM context", Tspi_Context_Create(&ctx));
 

src/tpm2.hpp

@@ -6,6 +6,7 @@
 
 #include "common.hpp"
 
+#include <sys/mman.h>
 #include <tss2/tss2_common.h>
 #include <tss2/tss2_esys.h>
 #include <tss2/tss2_rc.h>
@@ -20,6 +21,8 @@ static const constexpr TPMT_SYM_DEF tpm2_session_key{.algorithm = TPM2_ALG_AES,
 
 template <class F>
 int with_tpm2_session(F && func) {
+	mlockall(MCL_CURRENT | MCL_FUTURE);
+
 	// https://trustedcomputinggroup.org/wp-content/uploads/TSS_ESAPI_v1p00_r05_pubrev.pdf
 	// mainly "3.4. The ESAPI Session" and "3.5. ESAPI Use Model"
 	// https://tpm2-tss.readthedocs.io/en/latest/group___e_s_y_s___c_o_n_t_e_x_t.html