tpm2-pkcs11: fix fapi configure option; split tpm2-pkcs11-{esapi,fapi}

Per documentation at:
https://github.com/tpm2-software/tpm2-pkcs11/blob/master/docs/FAPI.md
the ESAPI support for tpm2-pkcs11 creates a fundamentally different
package, so split it into two new attributes: tpm2-pkcs11-esapi and
tpm2-pkcs11-fapi.

The existing package is unchanged, supporting both FAPI and esysdb, and
also requiring TPM2_PKCS11_BACKEND=fapi to be exported to use FAPI.

The tpm2-pkcs11-esapi attribute has fapi support compiled out and uses
esysdb all the time.

The tpm2-pkcs11-fapi attribute takes the extra step of applying a patch
that causes tpm2-pkcs11 to default to using FAPI, without needing to
export TPM2_PKCS11_BACKEND=fapi. However, TPM2_PKCS11_BACKEND=esysdb can
still be exported and will work.

pkgs/by-name/tp/tpm2-pkcs11-esapi/package.nix

@@ -0,0 +1,12 @@
+{
+  tpm2-pkcs11,
+  ...
+}@args:
+
+tpm2-pkcs11.override (
+  args
+  // {
+    fapiSupport = false;
+    extraDescription = "Disables FAPI support, as if TPM2_PKCS11_BACKEND were always set to 'esysdb'.";
+  }
+)

pkgs/by-name/tp/tpm2-pkcs11-fapi/package.nix

@@ -0,0 +1,13 @@
+{
+  tpm2-pkcs11,
+  ...
+}@args:
+
+tpm2-pkcs11.override (
+  args
+  // {
+    fapiSupport = true;
+    defaultToFapi = true;
+    extraDescription = "Enables fapi by default, as if TPM2_PKCS11_BACKEND defaulted to 'fapi'.";
+  }
+)

pkgs/by-name/tp/tpm2-pkcs11/default-to-fapi.patch

@@ -0,0 +1,33 @@
+From 648f0d08953152185e13feaca4feda02f8665341 Mon Sep 17 00:00:00 2001
+From: Morgan Jones <me@numin.it>
+Date: Wed, 9 Apr 2025 00:12:47 -0700
+Subject: [PATCH] backend: default to fapi
+
+---
+ src/lib/backend.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/lib/backend.c b/src/lib/backend.c
+index 128f58b..8404afe 100644
+--- a/src/lib/backend.c
++++ b/src/lib/backend.c
+@@ -15,12 +15,12 @@ static enum backend get_backend(void) {
+ 
+     const char *env = getenv("TPM2_PKCS11_BACKEND");
+ 
+-    if (!env || !strcasecmp(env, "esysdb")) {
+-        return backend_esysdb;
++    if (!env || !strcasecmp(env, "fapi")) {
++        return backend_fapi;
+     }
+ 
+-    if (!strcasecmp(env, "fapi")) {
+-        return backend_fapi;
++    if (!strcasecmp(env, "esysdb")) {
++        return backend_esysdb;
+     }
+ 
+     return backend_error;
+-- 
+2.47.0
+

pkgs/by-name/tp/tpm2-pkcs11/package.nix

@@ -26,14 +26,18 @@
   swtpm,
   tpm2-abrmd,
   tpm2-openssl,
-  tpm2-pkcs11, # for passthru abrmd tests
+  tpm2-pkcs11, # for passthru tests
+  tpm2-pkcs11-esapi,
+  tpm2-pkcs11-fapi,
   tpm2-tools,
   tpm2-tss,
   which,
   xxd,
   abrmdSupport ? false,
   fapiSupport ? true,
+  defaultToFapi ? false,
   enableFuzzing ? false,
+  extraDescription ? null,
 }:
 
 let
@@ -51,7 +55,9 @@ chosenStdenv.mkDerivation (finalAttrs: {
   };
 
   # Disable Java‐based tests because of missing dependencies
-  patches = [ ./disable-java-integration.patch ];
+  patches =
+    lib.singleton ./disable-java-integration.patch
+    ++ lib.optional defaultToFapi ./default-to-fapi.patch;
 
   postPatch = ''
     echo ${lib.escapeShellArg finalAttrs.version} >VERSION
@@ -80,12 +86,14 @@ chosenStdenv.mkDerivation (finalAttrs: {
     [
       (lib.enableFeature finalAttrs.doCheck "unit")
       (lib.enableFeature finalAttrs.doCheck "integration")
+
+      # Strangely, it uses --with-fapi=yes|no instead of a normal configure flag.
+      "--with-fapi=${if fapiSupport then "yes" else "no"}"
     ]
     ++ lib.optionals enableFuzzing [
       "--enable-fuzzing"
       "--disable-hardening"
-    ]
+    ];
-    ++ lib.optional fapiSupport "--with-fapi";
 
   strictDeps = true;
 
@@ -178,6 +186,10 @@ chosenStdenv.mkDerivation (finalAttrs: {
 
       # Enable tests to load TPM2 OpenSSL module
       export OPENSSL_MODULES="${openssl-modules}/lib/ossl-modules"
+    ''
+    + lib.optionalString defaultToFapi ''
+      # Need to change the default since the tests expect the other way.
+      export TPM2_PKCS11_BACKEND=esysdb
     '';
 
   postInstall = ''
@@ -211,13 +223,24 @@ chosenStdenv.mkDerivation (finalAttrs: {
     '';
 
   passthru = {
-    tests.tpm2-pkcs11-abrmd = tpm2-pkcs11.override {
+    tests = {
-      abrmdSupport = true;
+      inherit tpm2-pkcs11-esapi tpm2-pkcs11-fapi;
+      tpm2-pkcs11-abrmd = tpm2-pkcs11.override {
+        abrmdSupport = true;
+      };
+      tpm2-pkcs11-esapi-abrmd = tpm2-pkcs11-esapi.override {
+        abrmdSupport = true;
+      };
+      tpm2-pkcs11-fapi-abrmd = tpm2-pkcs11-fapi.override {
+        abrmdSupport = true;
+      };
     };
   };
 
   meta = {
-    description = "PKCS#11 interface for TPM2 hardware";
+    description =
+      "PKCS#11 interface for TPM2 hardware."
+      + lib.optionalString (extraDescription != null) " ${extraDescription}";
     homepage = "https://github.com/tpm2-software/tpm2-pkcs11";
     license = lib.licenses.bsd2;
     platforms = lib.platforms.linux;