[v2,3/3] oeqa/cases/tpm2: Add tpm2-pkcs11-tools sanity test

Add a very simple sanity test, which ensures that tpm2_ptool can run
without problems when the relevant package is available.

This test case is available here to help prevent future errors, where
the tool is unable to run after installation, due to missing
dependencies for example.

Contrary to other tests in the file, this test does not communicate with
the TPM module itself, it only ensures that the tool (tpm2_ptool) can be
loaded without any errors. Therefore, we don't need to depend on
anything other than having the package installed.

Signed-off-by: Omri Sarig <omri.sarig13@gmail.com>
---
 meta-tpm/lib/oeqa/runtime/cases/tpm2.py | 5 +++++
 1 file changed, 5 insertions(+)

Hi,

On Wed, Mar 12, 2025 at 11:32:41AM +0100, Omri Sarig via lists.yoctoproject.org wrote:
> Add a very simple sanity test, which ensures that tpm2_ptool can run
> without problems when the relevant package is available.
> 
> This test case is available here to help prevent future errors, where
> the tool is unable to run after installation, due to missing
> dependencies for example.
> 
> Contrary to other tests in the file, this test does not communicate with
> the TPM module itself, it only ensures that the tool (tpm2_ptool) can be
> loaded without any errors. Therefore, we don't need to depend on
> anything other than having the package installed.
> 
> Signed-off-by: Omri Sarig <omri.sarig13@gmail.com>
> ---
>  meta-tpm/lib/oeqa/runtime/cases/tpm2.py | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/meta-tpm/lib/oeqa/runtime/cases/tpm2.py b/meta-tpm/lib/oeqa/runtime/cases/tpm2.py
> index 8e90dc9..c2e6dfa 100644
> --- a/meta-tpm/lib/oeqa/runtime/cases/tpm2.py
> +++ b/meta-tpm/lib/oeqa/runtime/cases/tpm2.py
> @@ -67,3 +67,8 @@ class Tpm2Test(OERuntimeTestCase):
>      def test_tpm2_swtpm_reset(self):
>           (status, output) = self.target.run('swtpm_ioctl -i --tcp :2322')
>           self.assertEqual(status, 0, msg="swtpm reset failed: %s" % output)
> +
> +    @OEHasPackage(['tpm2-pkcs11-tools'])
> +    def test_tpm2_pkcs11_tools(self):
> +        (status, output) = self.target.run("tpm2_ptool --help")
> +        self.assertEqual(status, 0, msg="Module cannot be run with error: %s" % output)

Thanks! This good to start with. I think it's a separate question now if
meta-tpm test images will include tpm2-pkcs11-tools and actually run
this test.

Cheers,

-Mikko

On 3/12/25 11:38, Mikko Rapeli wrote:
> Hi,

Thanks for the fast reply!

>
> On Wed, Mar 12, 2025 at 11:32:41AM +0100, Omri Sarig via lists.yoctoproject.org wrote:
>> Add a very simple sanity test, which ensures that tpm2_ptool can run
>> without problems when the relevant package is available.
>>
>> This test case is available here to help prevent future errors, where
>> the tool is unable to run after installation, due to missing
>> dependencies for example.
>>
>> Contrary to other tests in the file, this test does not communicate with
>> the TPM module itself, it only ensures that the tool (tpm2_ptool) can be
>> loaded without any errors. Therefore, we don't need to depend on
>> anything other than having the package installed.
>>
>> Signed-off-by: Omri Sarig <omri.sarig13@gmail.com>
>> ---
>>   meta-tpm/lib/oeqa/runtime/cases/tpm2.py | 5 +++++
>>   1 file changed, 5 insertions(+)
>>
>> diff --git a/meta-tpm/lib/oeqa/runtime/cases/tpm2.py b/meta-tpm/lib/oeqa/runtime/cases/tpm2.py
>> index 8e90dc9..c2e6dfa 100644
>> --- a/meta-tpm/lib/oeqa/runtime/cases/tpm2.py
>> +++ b/meta-tpm/lib/oeqa/runtime/cases/tpm2.py
>> @@ -67,3 +67,8 @@ class Tpm2Test(OERuntimeTestCase):
>>       def test_tpm2_swtpm_reset(self):
>>            (status, output) = self.target.run('swtpm_ioctl -i --tcp :2322')
>>            self.assertEqual(status, 0, msg="swtpm reset failed: %s" % output)
>> +
>> +    @OEHasPackage(['tpm2-pkcs11-tools'])
>> +    def test_tpm2_pkcs11_tools(self):
>> +        (status, output) = self.target.run("tpm2_ptool --help")
>> +        self.assertEqual(status, 0, msg="Module cannot be run with error: %s" % output)
> Thanks! This good to start with. I think it's a separate question now if
> meta-tpm test images will include tpm2-pkcs11-tools and actually run
> this test.

I've looked into it now.
If I understand it correctly, and the image used for testing is 
security-tpm2-image 
(meta-security/meta-tpm/recipes-core/images/security-tpm2-image.bb), 
then the image already have tpm2-pkcs11-tools implicitly installed in it.

This is done as the image have the recipe of swtpm and the config of 
gnutls, which adds tpm2-pkcs11-tools to the runtime dependencies of swtpm.

I think we can do one of the following:

1. Update the image to explicitly install tpm2-pkcs11-tools (as a 
package in IMAGE_INSTALL).
2. Update the commit message to add the above explanation, so users will 
know that the tool is added to the image (and thus tested).
3. Leave the commits as-is.

What do you think makes the most sense?


With Kind Regards,
Omri

Hi,

On Wed, Mar 12, 2025 at 12:07:29PM +0100, Omri Sarig wrote:
> On 3/12/25 11:38, Mikko Rapeli wrote:
> > Hi,
> 
> Thanks for the fast reply!
> 
> > 
> > On Wed, Mar 12, 2025 at 11:32:41AM +0100, Omri Sarig via lists.yoctoproject.org wrote:
> > > Add a very simple sanity test, which ensures that tpm2_ptool can run
> > > without problems when the relevant package is available.
> > > 
> > > This test case is available here to help prevent future errors, where
> > > the tool is unable to run after installation, due to missing
> > > dependencies for example.
> > > 
> > > Contrary to other tests in the file, this test does not communicate with
> > > the TPM module itself, it only ensures that the tool (tpm2_ptool) can be
> > > loaded without any errors. Therefore, we don't need to depend on
> > > anything other than having the package installed.
> > > 
> > > Signed-off-by: Omri Sarig <omri.sarig13@gmail.com>
> > > ---
> > >   meta-tpm/lib/oeqa/runtime/cases/tpm2.py | 5 +++++
> > >   1 file changed, 5 insertions(+)
> > > 
> > > diff --git a/meta-tpm/lib/oeqa/runtime/cases/tpm2.py b/meta-tpm/lib/oeqa/runtime/cases/tpm2.py
> > > index 8e90dc9..c2e6dfa 100644
> > > --- a/meta-tpm/lib/oeqa/runtime/cases/tpm2.py
> > > +++ b/meta-tpm/lib/oeqa/runtime/cases/tpm2.py
> > > @@ -67,3 +67,8 @@ class Tpm2Test(OERuntimeTestCase):
> > >       def test_tpm2_swtpm_reset(self):
> > >            (status, output) = self.target.run('swtpm_ioctl -i --tcp :2322')
> > >            self.assertEqual(status, 0, msg="swtpm reset failed: %s" % output)
> > > +
> > > +    @OEHasPackage(['tpm2-pkcs11-tools'])
> > > +    def test_tpm2_pkcs11_tools(self):
> > > +        (status, output) = self.target.run("tpm2_ptool --help")
> > > +        self.assertEqual(status, 0, msg="Module cannot be run with error: %s" % output)
> > Thanks! This good to start with. I think it's a separate question now if
> > meta-tpm test images will include tpm2-pkcs11-tools and actually run
> > this test.
> 
> I've looked into it now.
> If I understand it correctly, and the image used for testing is
> security-tpm2-image
> (meta-security/meta-tpm/recipes-core/images/security-tpm2-image.bb), then
> the image already have tpm2-pkcs11-tools implicitly installed in it.
> 
> This is done as the image have the recipe of swtpm and the config of gnutls,
> which adds tpm2-pkcs11-tools to the runtime dependencies of swtpm.
> 
> I think we can do one of the following:
> 
> 1. Update the image to explicitly install tpm2-pkcs11-tools (as a package in
> IMAGE_INSTALL).
> 2. Update the commit message to add the above explanation, so users will
> know that the tool is added to the image (and thus tested).
> 3. Leave the commits as-is.
> 
> What do you think makes the most sense?

If the image already has it then I think we can leave as is.

But Armin as the layer maintainer can decide.

Cheers,

-Mikko