diff mbox series

[kirkstone,meta-tpm,1/3] oeqa/swtpm: add swtpm runtime

Message ID 20230201132614.2840970-1-akuster808@gmail.com
State New
Headers show
Series [kirkstone,meta-tpm,1/3] oeqa/swtpm: add swtpm runtime | expand

Commit Message

akuster808 Feb. 1, 2023, 1:26 p.m. UTC
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 50eff83d428598630d5277904eeeb4b668c31c22)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta-tpm/lib/oeqa/runtime/cases/swtpm.py | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 meta-tpm/lib/oeqa/runtime/cases/swtpm.py

Comments

Mikko Rapeli Feb. 1, 2023, 3:19 p.m. UTC | #1
Hi,

I don't mind but is the meta-security policy to accept new features in
stable branches?

FWIW, meta-security meta-tpm master branch does work on kirkstone too.

On Wed, Feb 01, 2023 at 08:26:12AM -0500, Armin Kuster wrote:
> Signed-off-by: Armin Kuster <akuster808@gmail.com>
> (cherry picked from commit 50eff83d428598630d5277904eeeb4b668c31c22)
> Signed-off-by: Armin Kuster <akuster808@gmail.com>
> ---
>  meta-tpm/lib/oeqa/runtime/cases/swtpm.py | 24 ++++++++++++++++++++++++
>  1 file changed, 24 insertions(+)
>  create mode 100644 meta-tpm/lib/oeqa/runtime/cases/swtpm.py
> 
> diff --git a/meta-tpm/lib/oeqa/runtime/cases/swtpm.py b/meta-tpm/lib/oeqa/runtime/cases/swtpm.py
> new file mode 100644
> index 0000000..df47b35
> --- /dev/null
> +++ b/meta-tpm/lib/oeqa/runtime/cases/swtpm.py
> @@ -0,0 +1,24 @@
> +# Copyright (C) 2022 Armin Kuster <akuster808@gmail.com>
> +#
> +from oeqa.runtime.case import OERuntimeTestCase
> +from oeqa.core.decorator.depends import OETestDepends
> +from oeqa.runtime.decorator.package import OEHasPackage
> +from oeqa.core.decorator.data import skipIfNotFeature

While this test is great to see, it only tests the case where TPM device
is only visible for the userspace of the Linux system. Exposing the TPM
device to bootloader etc requires starting it outside of qemu and
configuring qemu to expose the char device.

With poky master branch with QB_SETUP_CMD support, this can be done
in machine config with:

# setup SW based TPM for testing, note socket file path has 107 character
# length limitations from sockaddr_un
QB_SETUP_CMD = " \
   set -ex; pwd; which swtpm; swtpm --version; which swtpm_setup; \
   test -d '${IMAGE_BASENAME}_swtpm' || ( mkdir -p '${IMAGE_BASENAME}_swtpm' && \
       swtpm_setup --reconfigure --tpmstate '${IMAGE_BASENAME}_swtpm' --tpm2 --pcr-banks sha256 --config $(dirname $( which swtpm ) )/../../etc/swtpm_setup.conf ) && \
   test -f '${IMAGE_BASENAME}_swtpm/tpm2-00.permall' && \
   swtpm socket --tpmstate dir='${IMAGE_BASENAME}_swtpm' \
         --ctrl type=unixio,path='${IMAGE_BASENAME}_swtpm/swtpm-sock' \
         --flags startup-clear \
         --log level=30 --tpm2 -t -d \
"
QB_OPT_APPEND += "-chardev socket,id=chrtpm,path='${IMAGE_BASENAME}_swtpm/swtpm-sock' -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis-device,tpmdev=tpm0"

In normal cases swtpm exits when client qemu machine exits. If the qemu
machines exits before it connects to the swtpm device, the swtpm process
is leaked but I haven't fixed this yet.

Cheers,

-Mikko

> +class SwTpmTest(OERuntimeTestCase):
> +    @classmethod
> +    def setUpClass(cls):
> +        cls.tc.target.run('mkdir /tmp/myvtpm2')
> +        cls.tc.target.run('chown tss:root /tmp/myvtpm2')
> +
> +    @classmethod
> +    def tearDownClass(cls):
> +        cls.tc.target.run('rm -fr /tmp/myvtpm2')
> +
> +    @skipIfNotFeature('tpm2','Test tpm2_swtpm_socket requires tpm2 to be in DISTRO_FEATURES')
> +    @OETestDepends(['ssh.SSHTest.test_ssh'])
> +    @OEHasPackage(['swtpm'])
> +    def test_swtpm2_ek_cert(self):
> +            cmd = 'swtpm_setup --tpmstate /tmp/myvtpm2 --create-ek-cert --create-platform-cert --tpm2',
> +            status, output = self.target.run(cmd)
> +            self.assertEqual(status, 0, msg="swtpm create-ek-cert failed: %s" % output)
> -- 
> 2.37.3
> 

> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#59129): https://lists.yoctoproject.org/g/yocto/message/59129
> Mute This Topic: https://lists.yoctoproject.org/mt/96675158/7159507
> Group Owner: yocto+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [mikko.rapeli@linaro.org]
> -=-=-=-=-=-=-=-=-=-=-=-
>
akuster808 Feb. 1, 2023, 6:28 p.m. UTC | #2
On 2/1/23 10:19 AM, Mikko Rapeli wrote:
> Hi,
>
> I don't mind but is the meta-security policy to accept new features in
> stable branches?

You are correct. I forgot about this one.

Nice catch.

thanks,
Armin
>
> FWIW, meta-security meta-tpm master branch does work on kirkstone too.
>
> On Wed, Feb 01, 2023 at 08:26:12AM -0500, Armin Kuster wrote:
>> Signed-off-by: Armin Kuster <akuster808@gmail.com>
>> (cherry picked from commit 50eff83d428598630d5277904eeeb4b668c31c22)
>> Signed-off-by: Armin Kuster <akuster808@gmail.com>
>> ---
>>   meta-tpm/lib/oeqa/runtime/cases/swtpm.py | 24 ++++++++++++++++++++++++
>>   1 file changed, 24 insertions(+)
>>   create mode 100644 meta-tpm/lib/oeqa/runtime/cases/swtpm.py
>>
>> diff --git a/meta-tpm/lib/oeqa/runtime/cases/swtpm.py b/meta-tpm/lib/oeqa/runtime/cases/swtpm.py
>> new file mode 100644
>> index 0000000..df47b35
>> --- /dev/null
>> +++ b/meta-tpm/lib/oeqa/runtime/cases/swtpm.py
>> @@ -0,0 +1,24 @@
>> +# Copyright (C) 2022 Armin Kuster <akuster808@gmail.com>
>> +#
>> +from oeqa.runtime.case import OERuntimeTestCase
>> +from oeqa.core.decorator.depends import OETestDepends
>> +from oeqa.runtime.decorator.package import OEHasPackage
>> +from oeqa.core.decorator.data import skipIfNotFeature
> While this test is great to see, it only tests the case where TPM device
> is only visible for the userspace of the Linux system. Exposing the TPM
> device to bootloader etc requires starting it outside of qemu and
> configuring qemu to expose the char device.
>
> With poky master branch with QB_SETUP_CMD support, this can be done
> in machine config with:
>
> # setup SW based TPM for testing, note socket file path has 107 character
> # length limitations from sockaddr_un
> QB_SETUP_CMD = " \
>     set -ex; pwd; which swtpm; swtpm --version; which swtpm_setup; \
>     test -d '${IMAGE_BASENAME}_swtpm' || ( mkdir -p '${IMAGE_BASENAME}_swtpm' && \
>         swtpm_setup --reconfigure --tpmstate '${IMAGE_BASENAME}_swtpm' --tpm2 --pcr-banks sha256 --config $(dirname $( which swtpm ) )/../../etc/swtpm_setup.conf ) && \
>     test -f '${IMAGE_BASENAME}_swtpm/tpm2-00.permall' && \
>     swtpm socket --tpmstate dir='${IMAGE_BASENAME}_swtpm' \
>           --ctrl type=unixio,path='${IMAGE_BASENAME}_swtpm/swtpm-sock' \
>           --flags startup-clear \
>           --log level=30 --tpm2 -t -d \
> "
> QB_OPT_APPEND += "-chardev socket,id=chrtpm,path='${IMAGE_BASENAME}_swtpm/swtpm-sock' -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis-device,tpmdev=tpm0"
>
> In normal cases swtpm exits when client qemu machine exits. If the qemu
> machines exits before it connects to the swtpm device, the swtpm process
> is leaked but I haven't fixed this yet.
>
> Cheers,
>
> -Mikko
>
>> +class SwTpmTest(OERuntimeTestCase):
>> +    @classmethod
>> +    def setUpClass(cls):
>> +        cls.tc.target.run('mkdir /tmp/myvtpm2')
>> +        cls.tc.target.run('chown tss:root /tmp/myvtpm2')
>> +
>> +    @classmethod
>> +    def tearDownClass(cls):
>> +        cls.tc.target.run('rm -fr /tmp/myvtpm2')
>> +
>> +    @skipIfNotFeature('tpm2','Test tpm2_swtpm_socket requires tpm2 to be in DISTRO_FEATURES')
>> +    @OETestDepends(['ssh.SSHTest.test_ssh'])
>> +    @OEHasPackage(['swtpm'])
>> +    def test_swtpm2_ek_cert(self):
>> +            cmd = 'swtpm_setup --tpmstate /tmp/myvtpm2 --create-ek-cert --create-platform-cert --tpm2',
>> +            status, output = self.target.run(cmd)
>> +            self.assertEqual(status, 0, msg="swtpm create-ek-cert failed: %s" % output)
>> -- 
>> 2.37.3
>>
>> -=-=-=-=-=-=-=-=-=-=-=-
>> Links: You receive all messages sent to this group.
>> View/Reply Online (#59129): https://lists.yoctoproject.org/g/yocto/message/59129
>> Mute This Topic: https://lists.yoctoproject.org/mt/96675158/7159507
>> Group Owner: yocto+owner@lists.yoctoproject.org
>> Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [mikko.rapeli@linaro.org]
>> -=-=-=-=-=-=-=-=-=-=-=-
>>
diff mbox series

Patch

diff --git a/meta-tpm/lib/oeqa/runtime/cases/swtpm.py b/meta-tpm/lib/oeqa/runtime/cases/swtpm.py
new file mode 100644
index 0000000..df47b35
--- /dev/null
+++ b/meta-tpm/lib/oeqa/runtime/cases/swtpm.py
@@ -0,0 +1,24 @@ 
+# Copyright (C) 2022 Armin Kuster <akuster808@gmail.com>
+#
+from oeqa.runtime.case import OERuntimeTestCase
+from oeqa.core.decorator.depends import OETestDepends
+from oeqa.runtime.decorator.package import OEHasPackage
+from oeqa.core.decorator.data import skipIfNotFeature
+
+class SwTpmTest(OERuntimeTestCase):
+    @classmethod
+    def setUpClass(cls):
+        cls.tc.target.run('mkdir /tmp/myvtpm2')
+        cls.tc.target.run('chown tss:root /tmp/myvtpm2')
+
+    @classmethod
+    def tearDownClass(cls):
+        cls.tc.target.run('rm -fr /tmp/myvtpm2')
+
+    @skipIfNotFeature('tpm2','Test tpm2_swtpm_socket requires tpm2 to be in DISTRO_FEATURES')
+    @OETestDepends(['ssh.SSHTest.test_ssh'])
+    @OEHasPackage(['swtpm'])
+    def test_swtpm2_ek_cert(self):
+            cmd = 'swtpm_setup --tpmstate /tmp/myvtpm2 --create-ek-cert --create-platform-cert --tpm2',
+            status, output = self.target.run(cmd)
+            self.assertEqual(status, 0, msg="swtpm create-ek-cert failed: %s" % output)