Hi, I don't mind but is the meta-security policy to accept new features in stable branches?
FWIW, meta-security meta-tpm master branch does work on kirkstone too. On Wed, Feb 01, 2023 at 08:26:12AM -0500, Armin Kuster wrote: > Signed-off-by: Armin Kuster <[email protected]> > (cherry picked from commit 50eff83d428598630d5277904eeeb4b668c31c22) > Signed-off-by: Armin Kuster <[email protected]> > --- > meta-tpm/lib/oeqa/runtime/cases/swtpm.py | 24 ++++++++++++++++++++++++ > 1 file changed, 24 insertions(+) > create mode 100644 meta-tpm/lib/oeqa/runtime/cases/swtpm.py > > diff --git a/meta-tpm/lib/oeqa/runtime/cases/swtpm.py > b/meta-tpm/lib/oeqa/runtime/cases/swtpm.py > new file mode 100644 > index 0000000..df47b35 > --- /dev/null > +++ b/meta-tpm/lib/oeqa/runtime/cases/swtpm.py > @@ -0,0 +1,24 @@ > +# Copyright (C) 2022 Armin Kuster <[email protected]> > +# > +from oeqa.runtime.case import OERuntimeTestCase > +from oeqa.core.decorator.depends import OETestDepends > +from oeqa.runtime.decorator.package import OEHasPackage > +from oeqa.core.decorator.data import skipIfNotFeature While this test is great to see, it only tests the case where TPM device is only visible for the userspace of the Linux system. Exposing the TPM device to bootloader etc requires starting it outside of qemu and configuring qemu to expose the char device. With poky master branch with QB_SETUP_CMD support, this can be done in machine config with: # setup SW based TPM for testing, note socket file path has 107 character # length limitations from sockaddr_un QB_SETUP_CMD = " \ set -ex; pwd; which swtpm; swtpm --version; which swtpm_setup; \ test -d '${IMAGE_BASENAME}_swtpm' || ( mkdir -p '${IMAGE_BASENAME}_swtpm' && \ swtpm_setup --reconfigure --tpmstate '${IMAGE_BASENAME}_swtpm' --tpm2 --pcr-banks sha256 --config $(dirname $( which swtpm ) )/../../etc/swtpm_setup.conf ) && \ test -f '${IMAGE_BASENAME}_swtpm/tpm2-00.permall' && \ swtpm socket --tpmstate dir='${IMAGE_BASENAME}_swtpm' \ --ctrl type=unixio,path='${IMAGE_BASENAME}_swtpm/swtpm-sock' \ --flags startup-clear \ --log level=30 --tpm2 -t -d \ " QB_OPT_APPEND += "-chardev socket,id=chrtpm,path='${IMAGE_BASENAME}_swtpm/swtpm-sock' -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis-device,tpmdev=tpm0" In normal cases swtpm exits when client qemu machine exits. If the qemu machines exits before it connects to the swtpm device, the swtpm process is leaked but I haven't fixed this yet. Cheers, -Mikko > +class SwTpmTest(OERuntimeTestCase): > + @classmethod > + def setUpClass(cls): > + cls.tc.target.run('mkdir /tmp/myvtpm2') > + cls.tc.target.run('chown tss:root /tmp/myvtpm2') > + > + @classmethod > + def tearDownClass(cls): > + cls.tc.target.run('rm -fr /tmp/myvtpm2') > + > + @skipIfNotFeature('tpm2','Test tpm2_swtpm_socket requires tpm2 to be in > DISTRO_FEATURES') > + @OETestDepends(['ssh.SSHTest.test_ssh']) > + @OEHasPackage(['swtpm']) > + def test_swtpm2_ek_cert(self): > + cmd = 'swtpm_setup --tpmstate /tmp/myvtpm2 --create-ek-cert > --create-platform-cert --tpm2', > + status, output = self.target.run(cmd) > + self.assertEqual(status, 0, msg="swtpm create-ek-cert failed: > %s" % output) > -- > 2.37.3 > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#59136): https://lists.yoctoproject.org/g/yocto/message/59136 Mute This Topic: https://lists.yoctoproject.org/mt/96675158/21656 Group Owner: [email protected] Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
