Build tsh with static libfido2 in buildbox and Centos7

[codingllama]

Build tsh with static libfido2, libcbor,libcrypto and libudev-zero.

Dockerfiles for buildbox and Centos7 changed. FIPS and macOS to be addressed at a later date.

Add the tsh fido2 diag hidden command for ease of testing.

#9160

[codingllama]

FYI @zmb3 @russjones

Buildbox:

$ ldd build/tsh
	linux-vdso.so.1 (0x00007ffc5e308000)
	libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fe89c7de000)
	libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fe89c5da000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fe89c1e9000)
	/lib64/ld-linux-x86-64.so.2 (0x00007fe89c9fd000)

Centos:

$ ldd build/tsh
	linux-vdso.so.1 =>  (0x00007ffdb37e5000)
	libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f06036d6000)
	libdl.so.2 => /lib64/libdl.so.2 (0x00007f06034d2000)
	libc.so.6 => /lib64/libc.so.6 (0x00007f0603104000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f06038f2000)

Tried the builds against Debian 7/8 and Ubuntu 14/16/18. Some nice folks tried against Ubuntu 20 as well. The verdict is:

• Debian 7 is a no-go, glibc is too old even for the Centos build
• Debian 8 and Ubuntu 14/16 like the Centos build (glibc again)
• Newer distros are able to run either.

[espadolini]

eudev is GPL, libudev from systemd is LGPL, so we can't use the former and we can only dynamically link the latter. 😭

Perhaps we can try with illiliti/libudev-zero? Either that or we bite the bullet and rewrite libfido2 in go, maybe using flynn/hid for zero-dependency hardware detection.

[codingllama]

eudev is GPL, libudev from systemd is LGPL, so we can't use the former and we can only dynamically link the latter. 😭

libfido2 hard-depends on libudev and is BSD-2, which confuses my non-layer brain. ¯\(ツ)/¯

Perhaps we can try with illiliti/libudev-zero?

I'm OK moving to illiliti/libudev-zero, as it does seem to work. My concern is that, as a single-author library, it's way more likely to be dropped on the floor, whereas eudev appears to be more mature. I do have to say it's a lot easier to build, though...

@zmb3

Either that or we bite the bullet and rewrite libfido2 in go, maybe using flynn/hid for zero-dependency hardware detection

Yep, I've had my sights on that for a while. If we can pull off libfido2 I do think that's better, because we leverage Yubico's work. Time is the main factor now, as I can't make the next release if I have to rewrite libfido2, but post release this could change.

[codingllama]

• Debian 7 is a no-go, glibc is too old even for the Centos build

Just a quick update, but I tried the "old" U2F tsh in Debian 7 and it doesn't run either, so I think that ship sailed already.

# buildbox build (lifted from `make build/tsh`)
$ GOOS=linux GOARCH=amd64 CGO_ENABLED=1 CGO_LDFLAGS="-Wl,-Bstatic -lelf -lz -Wl,-Bdynamic" go build -tags "" -o build/tsh  -ldflags '-w -s' ./tool/tsh

# centos7 build (lifted from `make build/tsh`)
$ GOOS=linux GOARCH=amd64 CGO_ENABLED=1 go build -tags "" -o build/tsh  -ldflags '-w -s' ./tool/tsh

# Debian 7
$ ./tsh  # buildbox binary
./tsh: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.14' not found (required by ./tsh)

$ ./tsh  # centos7 binary
./tsh: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.14' not found (required by ./tsh)

[codingllama]

libudev-zero experiment: (commit) (branch).

[codingllama]

PTAL? Now building with illiliti/libudev-zero.

[codingllama]

Friendly ping @timothyb89.