Message ID | 20230201132614.2840970-1-akuster808@gmail.com |
---|---|
State | New |
Headers | show |
Series | [kirkstone,meta-tpm,1/3] oeqa/swtpm: add swtpm runtime | expand |
Hi, I don't mind but is the meta-security policy to accept new features in stable branches? FWIW, meta-security meta-tpm master branch does work on kirkstone too. On Wed, Feb 01, 2023 at 08:26:12AM -0500, Armin Kuster wrote: > Signed-off-by: Armin Kuster <akuster808@gmail.com> > (cherry picked from commit 50eff83d428598630d5277904eeeb4b668c31c22) > Signed-off-by: Armin Kuster <akuster808@gmail.com> > --- > meta-tpm/lib/oeqa/runtime/cases/swtpm.py | 24 ++++++++++++++++++++++++ > 1 file changed, 24 insertions(+) > create mode 100644 meta-tpm/lib/oeqa/runtime/cases/swtpm.py > > diff --git a/meta-tpm/lib/oeqa/runtime/cases/swtpm.py b/meta-tpm/lib/oeqa/runtime/cases/swtpm.py > new file mode 100644 > index 0000000..df47b35 > --- /dev/null > +++ b/meta-tpm/lib/oeqa/runtime/cases/swtpm.py > @@ -0,0 +1,24 @@ > +# Copyright (C) 2022 Armin Kuster <akuster808@gmail.com> > +# > +from oeqa.runtime.case import OERuntimeTestCase > +from oeqa.core.decorator.depends import OETestDepends > +from oeqa.runtime.decorator.package import OEHasPackage > +from oeqa.core.decorator.data import skipIfNotFeature While this test is great to see, it only tests the case where TPM device is only visible for the userspace of the Linux system. Exposing the TPM device to bootloader etc requires starting it outside of qemu and configuring qemu to expose the char device. With poky master branch with QB_SETUP_CMD support, this can be done in machine config with: # setup SW based TPM for testing, note socket file path has 107 character # length limitations from sockaddr_un QB_SETUP_CMD = " \ set -ex; pwd; which swtpm; swtpm --version; which swtpm_setup; \ test -d '${IMAGE_BASENAME}_swtpm' || ( mkdir -p '${IMAGE_BASENAME}_swtpm' && \ swtpm_setup --reconfigure --tpmstate '${IMAGE_BASENAME}_swtpm' --tpm2 --pcr-banks sha256 --config $(dirname $( which swtpm ) )/../../etc/swtpm_setup.conf ) && \ test -f '${IMAGE_BASENAME}_swtpm/tpm2-00.permall' && \ swtpm socket --tpmstate dir='${IMAGE_BASENAME}_swtpm' \ --ctrl type=unixio,path='${IMAGE_BASENAME}_swtpm/swtpm-sock' \ --flags startup-clear \ --log level=30 --tpm2 -t -d \ " QB_OPT_APPEND += "-chardev socket,id=chrtpm,path='${IMAGE_BASENAME}_swtpm/swtpm-sock' -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis-device,tpmdev=tpm0" In normal cases swtpm exits when client qemu machine exits. If the qemu machines exits before it connects to the swtpm device, the swtpm process is leaked but I haven't fixed this yet. Cheers, -Mikko > +class SwTpmTest(OERuntimeTestCase): > + @classmethod > + def setUpClass(cls): > + cls.tc.target.run('mkdir /tmp/myvtpm2') > + cls.tc.target.run('chown tss:root /tmp/myvtpm2') > + > + @classmethod > + def tearDownClass(cls): > + cls.tc.target.run('rm -fr /tmp/myvtpm2') > + > + @skipIfNotFeature('tpm2','Test tpm2_swtpm_socket requires tpm2 to be in DISTRO_FEATURES') > + @OETestDepends(['ssh.SSHTest.test_ssh']) > + @OEHasPackage(['swtpm']) > + def test_swtpm2_ek_cert(self): > + cmd = 'swtpm_setup --tpmstate /tmp/myvtpm2 --create-ek-cert --create-platform-cert --tpm2', > + status, output = self.target.run(cmd) > + self.assertEqual(status, 0, msg="swtpm create-ek-cert failed: %s" % output) > -- > 2.37.3 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#59129): https://lists.yoctoproject.org/g/yocto/message/59129 > Mute This Topic: https://lists.yoctoproject.org/mt/96675158/7159507 > Group Owner: yocto+owner@lists.yoctoproject.org > Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [mikko.rapeli@linaro.org] > -=-=-=-=-=-=-=-=-=-=-=- >
On 2/1/23 10:19 AM, Mikko Rapeli wrote: > Hi, > > I don't mind but is the meta-security policy to accept new features in > stable branches? You are correct. I forgot about this one. Nice catch. thanks, Armin > > FWIW, meta-security meta-tpm master branch does work on kirkstone too. > > On Wed, Feb 01, 2023 at 08:26:12AM -0500, Armin Kuster wrote: >> Signed-off-by: Armin Kuster <akuster808@gmail.com> >> (cherry picked from commit 50eff83d428598630d5277904eeeb4b668c31c22) >> Signed-off-by: Armin Kuster <akuster808@gmail.com> >> --- >> meta-tpm/lib/oeqa/runtime/cases/swtpm.py | 24 ++++++++++++++++++++++++ >> 1 file changed, 24 insertions(+) >> create mode 100644 meta-tpm/lib/oeqa/runtime/cases/swtpm.py >> >> diff --git a/meta-tpm/lib/oeqa/runtime/cases/swtpm.py b/meta-tpm/lib/oeqa/runtime/cases/swtpm.py >> new file mode 100644 >> index 0000000..df47b35 >> --- /dev/null >> +++ b/meta-tpm/lib/oeqa/runtime/cases/swtpm.py >> @@ -0,0 +1,24 @@ >> +# Copyright (C) 2022 Armin Kuster <akuster808@gmail.com> >> +# >> +from oeqa.runtime.case import OERuntimeTestCase >> +from oeqa.core.decorator.depends import OETestDepends >> +from oeqa.runtime.decorator.package import OEHasPackage >> +from oeqa.core.decorator.data import skipIfNotFeature > While this test is great to see, it only tests the case where TPM device > is only visible for the userspace of the Linux system. Exposing the TPM > device to bootloader etc requires starting it outside of qemu and > configuring qemu to expose the char device. > > With poky master branch with QB_SETUP_CMD support, this can be done > in machine config with: > > # setup SW based TPM for testing, note socket file path has 107 character > # length limitations from sockaddr_un > QB_SETUP_CMD = " \ > set -ex; pwd; which swtpm; swtpm --version; which swtpm_setup; \ > test -d '${IMAGE_BASENAME}_swtpm' || ( mkdir -p '${IMAGE_BASENAME}_swtpm' && \ > swtpm_setup --reconfigure --tpmstate '${IMAGE_BASENAME}_swtpm' --tpm2 --pcr-banks sha256 --config $(dirname $( which swtpm ) )/../../etc/swtpm_setup.conf ) && \ > test -f '${IMAGE_BASENAME}_swtpm/tpm2-00.permall' && \ > swtpm socket --tpmstate dir='${IMAGE_BASENAME}_swtpm' \ > --ctrl type=unixio,path='${IMAGE_BASENAME}_swtpm/swtpm-sock' \ > --flags startup-clear \ > --log level=30 --tpm2 -t -d \ > " > QB_OPT_APPEND += "-chardev socket,id=chrtpm,path='${IMAGE_BASENAME}_swtpm/swtpm-sock' -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis-device,tpmdev=tpm0" > > In normal cases swtpm exits when client qemu machine exits. If the qemu > machines exits before it connects to the swtpm device, the swtpm process > is leaked but I haven't fixed this yet. > > Cheers, > > -Mikko > >> +class SwTpmTest(OERuntimeTestCase): >> + @classmethod >> + def setUpClass(cls): >> + cls.tc.target.run('mkdir /tmp/myvtpm2') >> + cls.tc.target.run('chown tss:root /tmp/myvtpm2') >> + >> + @classmethod >> + def tearDownClass(cls): >> + cls.tc.target.run('rm -fr /tmp/myvtpm2') >> + >> + @skipIfNotFeature('tpm2','Test tpm2_swtpm_socket requires tpm2 to be in DISTRO_FEATURES') >> + @OETestDepends(['ssh.SSHTest.test_ssh']) >> + @OEHasPackage(['swtpm']) >> + def test_swtpm2_ek_cert(self): >> + cmd = 'swtpm_setup --tpmstate /tmp/myvtpm2 --create-ek-cert --create-platform-cert --tpm2', >> + status, output = self.target.run(cmd) >> + self.assertEqual(status, 0, msg="swtpm create-ek-cert failed: %s" % output) >> -- >> 2.37.3 >> >> -=-=-=-=-=-=-=-=-=-=-=- >> Links: You receive all messages sent to this group. >> View/Reply Online (#59129): https://lists.yoctoproject.org/g/yocto/message/59129 >> Mute This Topic: https://lists.yoctoproject.org/mt/96675158/7159507 >> Group Owner: yocto+owner@lists.yoctoproject.org >> Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [mikko.rapeli@linaro.org] >> -=-=-=-=-=-=-=-=-=-=-=- >>
diff --git a/meta-tpm/lib/oeqa/runtime/cases/swtpm.py b/meta-tpm/lib/oeqa/runtime/cases/swtpm.py new file mode 100644 index 0000000..df47b35 --- /dev/null +++ b/meta-tpm/lib/oeqa/runtime/cases/swtpm.py @@ -0,0 +1,24 @@ +# Copyright (C) 2022 Armin Kuster <akuster808@gmail.com> +# +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.core.decorator.depends import OETestDepends +from oeqa.runtime.decorator.package import OEHasPackage +from oeqa.core.decorator.data import skipIfNotFeature + +class SwTpmTest(OERuntimeTestCase): + @classmethod + def setUpClass(cls): + cls.tc.target.run('mkdir /tmp/myvtpm2') + cls.tc.target.run('chown tss:root /tmp/myvtpm2') + + @classmethod + def tearDownClass(cls): + cls.tc.target.run('rm -fr /tmp/myvtpm2') + + @skipIfNotFeature('tpm2','Test tpm2_swtpm_socket requires tpm2 to be in DISTRO_FEATURES') + @OETestDepends(['ssh.SSHTest.test_ssh']) + @OEHasPackage(['swtpm']) + def test_swtpm2_ek_cert(self): + cmd = 'swtpm_setup --tpmstate /tmp/myvtpm2 --create-ek-cert --create-platform-cert --tpm2', + status, output = self.target.run(cmd) + self.assertEqual(status, 0, msg="swtpm create-ek-cert failed: %s" % output)