[meta-security][PATCH v2 0/9] tpm: virtual TPM for qemu

[meta-security][PATCH v2 0/9] tpm: virtual TPM for qemu

[Patrick Ohly]

I recently started using swtpm-native in combination with the qemu-tpm
patches to simulate a virtual TPM chip in qemu. The qemu-tpm patches
should go into OE-core, but currently usage is a bit cumbersome
(requires root privileges and manually starting swtpm before each
runqemu invocation), so at this time I only consider the meta-security
changes ready and useful enough for merging.

Inside the virtual machine I used tpm-tools + trousers to set up
sealed keys for EVM, which required fixing a few things.

These patches were based on Armin's swtpm+trousers version update
series which needs to be merged first to avoid merge conflicts.

Changes in V2:
- add --system to tss user and group creation
- revised commit message for wrapper scripts (swtpm_cuse needs
  absolute path to tpm state dir, can be passed via parameter)
- another swtpm SRCREV bump

Patrick Ohly (9):
  trousers: missing libtspi.so.1 in libtspi package
  trousers: recommend tcsd
  trousers: tcsd.conf must be owned tss:tss
  swtpm: enable native and nativesdk flavors
  swtpm: depends on tpm-tools
  swtpm: fix compiler format warning
  swtpm: cuse packageconfig
  swtpm-wrappers: simplify using swtpm-native
  swtpm: update to latest tip

 recipes-tpm/swtpm/files/fix_lib_search_path.patch | 64 ++++++++++++++++-
 recipes-tpm/swtpm/files/fix_signed_issue.patch    |  2 +-
 recipes-tpm/swtpm/swtpm-wrappers.bb               | 41 ++++++++++-
 recipes-tpm/swtpm/swtpm_1.0.bb                    | 14 +++-
 recipes-tpm/trousers/trousers_git.bb              | 11 +--
 5 files changed, 124 insertions(+), 8 deletions(-)
 create mode 100644 recipes-tpm/swtpm/files/fix_lib_search_path.patch
 create mode 100644 recipes-tpm/swtpm/swtpm-wrappers.bb

base-commit: 6787dd986122cd6420b1f348c4550a42ed596f57
-- 
git-series 0.9.1

[meta-security][PATCH v2 1/9] trousers: missing libtspi.so.1 in libtspi package

[Patrick Ohly]

The soname of libtspi.so is "libtspi.so.1" and therefore apps
linked against that library depend on the libtspi.so.1 symlink
to find the library.

Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
---
 recipes-tpm/trousers/trousers_git.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-tpm/trousers/trousers_git.bb b/recipes-tpm/trousers/trousers_git.bb
index 1dedd7c..0a7e5b6 100644
--- a/recipes-tpm/trousers/trousers_git.bb
+++ b/recipes-tpm/trousers/trousers_git.bb
@@ -57,6 +57,7 @@ PACKAGES = " \
 	"
 
 FILES_libtspi = " \
+	${libdir}/*.so.1 \
 	${libdir}/*.so.1.2.0 \
 	"
 FILES_libtspi-dbg = " \
@@ -69,7 +70,6 @@ FILES_libtspi-dbg = " \
 FILES_libtspi-dev = " \
 	${includedir} \
 	${libdir}/*.so \
-	${libdir}/*.so.1 \
 	"
 FILES_libtspi-doc = " \
 	${mandir}/man3 \
-- 
git-series 0.9.1

[meta-security][PATCH v2 2/9] trousers: recommend tcsd

[Patrick Ohly]

Installing tpm-tools for tools like tpm_takeown pull in the libtspi
package, but the resulting system is not functional unless the tcsd
(from the main "trousers" package) also gets installed. A RRECOMMENDS
entry for that takes care of that automatically.

Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
---
 recipes-tpm/trousers/trousers_git.bb | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/recipes-tpm/trousers/trousers_git.bb b/recipes-tpm/trousers/trousers_git.bb
index 0a7e5b6..5737de3 100644
--- a/recipes-tpm/trousers/trousers_git.bb
+++ b/recipes-tpm/trousers/trousers_git.bb
@@ -56,6 +56,10 @@ PACKAGES = " \
 	trousers-doc \
 	"
 
+# libtspi needs tcsd for most (all?) operations, so suggest to
+# install that.
+RRECOMMENDS_libtspi = "${PN}"
+
 FILES_libtspi = " \
 	${libdir}/*.so.1 \
 	${libdir}/*.so.1.2.0 \
-- 
git-series 0.9.1

[meta-security][PATCH v2 3/9] trousers: tcsd.conf must be owned tss:tss

[Patrick Ohly]

The upstream dist/Makefile.am ensures that /etc/tcsd.conf is owned by
tss:tss, and that must not be changed because otherwise tcsd refuses
to start.

In addition, tss group and user should be added as special system
group resp. user, because they are not normal users.  This also avoids
the host-user-contaminated QA warning because the "tss" user will
typically not get assigned a UID from the same range as the host user
that is used for building.

Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
---
 recipes-tpm/trousers/trousers_git.bb | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/recipes-tpm/trousers/trousers_git.bb b/recipes-tpm/trousers/trousers_git.bb
index 5737de3..6671808 100644
--- a/recipes-tpm/trousers/trousers_git.bb
+++ b/recipes-tpm/trousers/trousers_git.bb
@@ -39,7 +39,6 @@ do_install_append() {
         install -m 0644 ${WORKDIR}/tcsd.service ${D}${systemd_unitdir}/system/
         sed -i -e 's#@SBINDIR@#${sbindir}#g' ${D}${systemd_unitdir}/system/tcsd.service
     fi        
-    chown -R root:root ${D}${sysconfdir}/tcsd.conf
 }
 
 CONFFILES_${PN} += "${sysconfig}/tcsd.conf"
@@ -107,8 +106,8 @@ INITSCRIPT_NAME = "trousers"
 INITSCRIPT_PARAMS = "start 99 2 3 4 5 . stop 19 0 1 6 ."
 
 USERADD_PACKAGES = "${PN}"
-GROUPADD_PARAM_${PN} = "tss"
-USERADD_PARAM_${PN} = "-M -d /var/lib/tpm -s /bin/false -g tss tss"
+GROUPADD_PARAM_${PN} = "--system tss"
+USERADD_PARAM_${PN} = "--system -M -d /var/lib/tpm -s /bin/false -g tss tss"
 
 SYSTEMD_PACKAGES = "${PN}"
 SYSTEMD_SERVICE_${PN} = "tcsd.service"
-- 
git-series 0.9.1

[meta-security][PATCH v2 4/9] swtpm: enable native and nativesdk flavors

[Patrick Ohly]

For use with qemu-tpm as described in the swtpm main README, swtpm
must be compiled natively. nativesdk is added just in case that
someone wants to add this to an SDK.

The fix_lib_search_path.patch was recently removed during the version
update, but it is still needed when building natively. Here's a
version that applies cleanly again.

Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
---
 recipes-tpm/swtpm/files/fix_lib_search_path.patch | 64 ++++++++++++++++-
 recipes-tpm/swtpm/swtpm_1.0.bb                    |  3 +-
 2 files changed, 67 insertions(+)
 create mode 100644 recipes-tpm/swtpm/files/fix_lib_search_path.patch

diff --git a/recipes-tpm/swtpm/files/fix_lib_search_path.patch b/recipes-tpm/swtpm/files/fix_lib_search_path.patch
new file mode 100644
index 0000000..28aca4a
--- /dev/null
+++ b/recipes-tpm/swtpm/files/fix_lib_search_path.patch
@@ -0,0 +1,64 @@
+From 85706ceb6877ade3b589d3c390abf5b3492bb718 Mon Sep 17 00:00:00 2001
+From: Armin Kuster <akuster808@gmail.com>
+Date: Thu, 13 Oct 2016 02:03:56 -0700
+Subject: [PATCH] swtpm: add new package
+
+Upstream-Status: Inappropriate [OE config]
+
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+Rebased to current tip.
+
+Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
+
+---
+ configure.ac | 32 ++++++++++----------------------
+ 1 file changed, 10 insertions(+), 22 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index c4a9c6d..6267f64 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -395,29 +395,17 @@ CFLAGS="$CFLAGS -Wformat -Wformat-security"
+ dnl We have to make sure libtpms is using the same crypto library
+ dnl to avoid problems
+ AC_MSG_CHECKING([the crypto library libtpms is using])
+-dirs=$($CC $CFLAGS -Xlinker --verbose 2>/dev/null | \
+-       sed -n '/SEARCH_DIR/p' | \
+-       sed 's/SEARCH_DIR("=\?\(@<:@^"@:>@\+\)"); */\1\n/g')
+-for dir in $dirs $LIBRARY_PATH; do
+-  if test -r $dir/libtpms.so; then
+-    if test -n "`ldd $dir/libtpms.so | grep libcrypto.so`"; then
+-      libtpms_cryptolib="openssl"
+-      break
+-    fi
+-    if test -n "`ldd $dir/libtpms.so | grep libnss3.so`"; then
+-      libtpms_cryptolib="freebl"
+-      break
+-    fi
++dir="$SEARCH_DIR"
++if test -r $dir/libtpms.so; then
++  if test -n "`ldd $dir/libtpms.so | grep libcrypto.so`"; then
++    libtpms_cryptolib="openssl"
++    break
+   fi
+-  case $host_os in
+-  cygwin)
+-    if test -r $dir/libtpms.a; then
+-      if test -n "$(nm $dir/libtpms.a | grep "U AES_encrypt")"; then
+-        libtpms_cryptolib="openssl"
+-      fi
+-    fi
+-  esac
+-done
++  if test -n "`ldd $dir/libtpms.so | grep libnss3.so`"; then
++    libtpms_cryptolib="freebl"
++    break
++  fi
++fi
+ 
+ if test -z "$libtpms_cryptolib"; then
+   AC_MSG_ERROR([Could not determine libtpms crypto library.])
+-- 
+2.1.4
+
diff --git a/recipes-tpm/swtpm/swtpm_1.0.bb b/recipes-tpm/swtpm/swtpm_1.0.bb
index 27b4b8c..d5a2a58 100644
--- a/recipes-tpm/swtpm/swtpm_1.0.bb
+++ b/recipes-tpm/swtpm/swtpm_1.0.bb
@@ -9,6 +9,7 @@ SRCREV = "ca906a02124d0ed8b6194e845d272d23ee394a34"
 SRC_URI = " \
 	git://github.com/stefanberger/swtpm.git \
 	file://fix_signed_issue.patch \
+	file://fix_lib_search_path.patch \
 	"
 
 S = "${WORKDIR}/git"
@@ -45,3 +46,5 @@ USERADD_PARAM_${PN} = "--system -g ${TSS_GROUP} --home-dir  \
     --no-create-home  --shell /bin/false ${BPN}"
 
 RDEPENDS_${PN} = "libtpm expect socat bash"
+
+BBCLASSEXTEND = "native nativesdk"
-- 
git-series 0.9.1

[meta-security][PATCH v2 5/9] swtpm: depends on tpm-tools

[Patrick Ohly]

The configure script checks for tpm_nvdefine from tpm-tools and fails
when it is not present.

Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
---
 recipes-tpm/swtpm/swtpm_1.0.bb | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/recipes-tpm/swtpm/swtpm_1.0.bb b/recipes-tpm/swtpm/swtpm_1.0.bb
index d5a2a58..5283f5d 100644
--- a/recipes-tpm/swtpm/swtpm_1.0.bb
+++ b/recipes-tpm/swtpm/swtpm_1.0.bb
@@ -5,6 +5,11 @@ SECTION = "apps"
 
 DEPENDS = "libtasn1 fuse expect socat glib-2.0 libtpm libtpm-native"
 
+# configure checks for the tools already during compilation and
+# then swtpm_setup needs them at runtime
+DEPENDS += "tpm-tools-native"
+RDEPENDS_${PN} += "tpm-tools"
+
 SRCREV = "ca906a02124d0ed8b6194e845d272d23ee394a34"
 SRC_URI = " \
 	git://github.com/stefanberger/swtpm.git \
-- 
git-series 0.9.1

[meta-security][PATCH v2 6/9] swtpm: fix compiler format warning

[Patrick Ohly]

When building for x86-64, gcc complains:

tpm_ioctl.c:866:9: error: format ‘%llx’ expects argument of type ‘long long unsigned int’, but argument 2 has type ‘long unsigned int’ [-Werror=format=]
|          printf("ptm capability is 0x%llx\n", (uint64_t)devtoh64(is_chardev, cap));
|          ^
| cc1: all warnings being treated as errors

Casting to "long long unsigned" matches the format specifier in all
cases, including those where "long long" is larger than 64 bits.

Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
---
 recipes-tpm/swtpm/files/fix_signed_issue.patch | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-tpm/swtpm/files/fix_signed_issue.patch b/recipes-tpm/swtpm/files/fix_signed_issue.patch
index 427df62..140585b 100644
--- a/recipes-tpm/swtpm/files/fix_signed_issue.patch
+++ b/recipes-tpm/swtpm/files/fix_signed_issue.patch
@@ -42,7 +42,7 @@ Index: git/src/swtpm_ioctl/tpm_ioctl.c
          }
          /* no tpm_result here */
 -        printf("ptm capability is 0x%lx\n", (uint64_t)devtoh64(is_chardev, cap));
-+        printf("ptm capability is 0x%llx\n", (uint64_t)devtoh64(is_chardev, cap));
++        printf("ptm capability is 0x%llx\n", (long long unsigned)devtoh64(is_chardev, cap));
  
      } else if (!strcmp(command, "-i")) {
          init.u.req.init_flags = htodev32(is_chardev, PTM_INIT_FLAG_DELETE_VOLATILE);
-- 
git-series 0.9.1

[meta-security][PATCH v2 7/9] swtpm: cuse packageconfig

[Patrick Ohly]

The CUSE support in swtpm does not depend on selinux. It is needed
for simulating a virtual TPM, one of the use cases for swtpm-native, so
enable it by default.

Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
---
 recipes-tpm/swtpm/swtpm_1.0.bb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/recipes-tpm/swtpm/swtpm_1.0.bb b/recipes-tpm/swtpm/swtpm_1.0.bb
index 5283f5d..0733adc 100644
--- a/recipes-tpm/swtpm/swtpm_1.0.bb
+++ b/recipes-tpm/swtpm/swtpm_1.0.bb
@@ -25,12 +25,12 @@ PARALLEL_MAKE = ""
 TSS_USER="tss"
 TSS_GROUP="tss"
 
-PACKAGECONFIG ?= "openssl"
+PACKAGECONFIG ?= "openssl cuse"
 PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}"
 PACKAGECONFIG[openssl] = "--with-openssl, --without-openssl, openssl"
 PACKAGECONFIG[gnutls] = "--with-gnutls, --without-gnutls, gnutls"
 PACKAGECONFIG[selinux] = "--with-selinux, --without-selinux, libselinux"
-PACKAGECONFIG[cuse] = "--with-cuse, --without-cuse, libselinux"
+PACKAGECONFIG[cuse] = "--with-cuse, --without-cuse"
 
 EXTRA_OECONF += "--with-tss-user=${TSS_USER} --with-tss-group=${TSS_GROUP}"
 
-- 
git-series 0.9.1

[meta-security][PATCH v2 8/9] swtpm-wrappers: simplify using swtpm-native

[Patrick Ohly]

Native tools exist in recipe specific sysroots and are normally
not meant to be called from outside a build. But that's what we
need to do when using swtpm-native together with qemu, so these
wrappers make that possible by setting up the necessary environment
and hiding the internal paths.

Invoking swtpm_setup.sh gets some special support: swtpm_setup.sh runs
two daemons, tcsd and swtpm, of which tcsd insists on running as root
or tss. In practice, running as the normal user is perfectly
fine. Instead of patching the upstream source code, the approach take
here is to run under pseudo.

Usage examples:

$ bitbake swtpm-wrappers
$ mkdir -p my-machine/myvtpm0
$ tmp-glibc/work/x86_64-linux/swtpm-wrappers/1.0-r0/swtpm_setup_oe.sh --tpm-state my-machine/myvtpm0
Starting vTPM manufacturing as root:root @ Mon 16 Jan 2017 04:09:21 PM CET
TPM is listening on TCP port 55675.
-rw------- 1 root root 65 Jan 16 16:09 /tmp/tmp.2yJBKTTwRk
Ending vTPM manufacturing @ Mon 16 Jan 2017 04:09:21 PM CET

The resulting "my-machine/myvtpm0" can then be used with swtpm (this
time, it really has to be running as root because it uses CUSE to
create /dev/vtpm0, and an absolute path is needed for the tpm state
dir) and qemu-tpm (patches not currently in OE-core, have to be
applied manually):

$ sudo tmp-glibc/work/x86_64-linux/swtpm-wrappers/1.0-r0/swtpm_cuse_oe.sh -n vtpm0 --tpmstate dir=`pwd`/my-machine/myvtpm0
$ sudo chmod a+rw /dev/vtpm0
$ runqemu ... 'qemuparams=-tpmdev cuse-tpm,id=tpm0,path=/dev/vtpm0 -device tpm-tis,tpmdev=tpm0'

Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
---
 recipes-tpm/swtpm/swtpm-wrappers.bb | 41 ++++++++++++++++++++++++++++++-
 1 file changed, 41 insertions(+)
 create mode 100644 recipes-tpm/swtpm/swtpm-wrappers.bb

diff --git a/recipes-tpm/swtpm/swtpm-wrappers.bb b/recipes-tpm/swtpm/swtpm-wrappers.bb
new file mode 100644
index 0000000..676c35e
--- /dev/null
+++ b/recipes-tpm/swtpm/swtpm-wrappers.bb
@@ -0,0 +1,41 @@
+SUMMARY = "SWTPM - OpenEmbedded wrapper scripts for native swtpm tools"
+LICENSE = "MIT"
+DEPENDS = "swtpm-native tpm-tools-native"
+
+inherit native
+
+# The whole point of the recipe is to make files available
+# for use after the build is done, so don't clean up...
+RM_WORK_EXCLUDE += "${PN}"
+
+do_create_wrapper () {
+    cat >${WORKDIR}/swtpm_setup_oe.sh <<EOF
+#! /bin/sh
+#
+# Wrapper around swtpm_setup.sh which adds parameters required to
+# run the setup as non-root directly from the native sysroot.
+
+PATH="${bindir}:${base_bindir}:${sbindir}:${base_sbindir}:\$PATH"
+export PATH
+
+# tcsd only allows to be run as root or tss. Pretend to be root...
+exec env ${FAKEROOTENV} ${FAKEROOTCMD} swtpm_setup.sh --config ${STAGING_DIR_NATIVE}/etc/swtpm_setup.conf "\$@"
+EOF
+
+    cat >${WORKDIR}/swtpm_cuse_oe.sh <<EOF
+#! /bin/sh
+#
+# Wrapper around swtpm_cuse which makes it easier to invoke
+# the right binary. Has to be run as root with TPM_PATH set
+# to a directory initialized as virtual TPM by swtpm_setup_oe.sh.
+
+PATH="${bindir}:${base_bindir}:${sbindir}:${base_sbindir}:\$PATH"
+export PATH
+
+exec swtpm_cuse "\$@"
+EOF
+
+    chmod a+rx ${WORKDIR}/*.sh
+}
+
+addtask do_create_wrapper before do_build after do_prepare_recipe_sysroot
-- 
git-series 0.9.1

[meta-security][PATCH v2 9/9] swtpm: update to latest tip

[Patrick Ohly]

Brings in instructions for setting the log level. Setting the log level
with --log file=...,level=1 is necessary at the moment before anything
gets written to the log. Even errors are suppressed by default.

Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
---
 recipes-tpm/swtpm/swtpm_1.0.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-tpm/swtpm/swtpm_1.0.bb b/recipes-tpm/swtpm/swtpm_1.0.bb
index 0733adc..0d3bab0 100644
--- a/recipes-tpm/swtpm/swtpm_1.0.bb
+++ b/recipes-tpm/swtpm/swtpm_1.0.bb
@@ -10,7 +10,7 @@ DEPENDS = "libtasn1 fuse expect socat glib-2.0 libtpm libtpm-native"
 DEPENDS += "tpm-tools-native"
 RDEPENDS_${PN} += "tpm-tools"
 
-SRCREV = "ca906a02124d0ed8b6194e845d272d23ee394a34"
+SRCREV = "65d8e4d83447f4c13a41a6f995bd0490f49bc5ef"
 SRC_URI = " \
 	git://github.com/stefanberger/swtpm.git \
 	file://fix_signed_issue.patch \
-- 
git-series 0.9.1

Re: [meta-security][PATCH v2 0/9] tpm: virtual TPM for qemu

[akuster808]

On 2/3/17 12:46 AM, Patrick Ohly wrote:
> I recently started using swtpm-native in combination with the qemu-tpm
> patches to simulate a virtual TPM chip in qemu. The qemu-tpm patches
> should go into OE-core, but currently usage is a bit cumbersome
> (requires root privileges and manually starting swtpm before each
> runqemu invocation), so at this time I only consider the meta-security
> changes ready and useful enough for merging.
>
> Inside the virtual machine I used tpm-tools + trousers to set up
> sealed keys for EVM, which required fixing a few things.
>
> These patches were based on Armin's swtpm+trousers version update
> series which needs to be merged first to avoid merge conflicts.
In staging,

Thanks,
- armin
>
> Changes in V2:
> - add --system to tss user and group creation
> - revised commit message for wrapper scripts (swtpm_cuse needs
>   absolute path to tpm state dir, can be passed via parameter)
> - another swtpm SRCREV bump
>
> Patrick Ohly (9):
>   trousers: missing libtspi.so.1 in libtspi package
>   trousers: recommend tcsd
>   trousers: tcsd.conf must be owned tss:tss
>   swtpm: enable native and nativesdk flavors
>   swtpm: depends on tpm-tools
>   swtpm: fix compiler format warning
>   swtpm: cuse packageconfig
>   swtpm-wrappers: simplify using swtpm-native
>   swtpm: update to latest tip
>
>  recipes-tpm/swtpm/files/fix_lib_search_path.patch | 64 ++++++++++++++++-
>  recipes-tpm/swtpm/files/fix_signed_issue.patch    |  2 +-
>  recipes-tpm/swtpm/swtpm-wrappers.bb               | 41 ++++++++++-
>  recipes-tpm/swtpm/swtpm_1.0.bb                    | 14 +++-
>  recipes-tpm/trousers/trousers_git.bb              | 11 +--
>  5 files changed, 124 insertions(+), 8 deletions(-)
>  create mode 100644 recipes-tpm/swtpm/files/fix_lib_search_path.patch
>  create mode 100644 recipes-tpm/swtpm/swtpm-wrappers.bb
>
> base-commit: 6787dd986122cd6420b1f348c4550a42ed596f57

Re: [meta-security][PATCH v2 0/9] tpm: virtual TPM for qemu

[Patrick Ohly]

On Fri, 2017-02-03 at 10:35 -0800, akuster808 wrote:
> On 2/3/17 12:46 AM, Patrick Ohly wrote:
> > I recently started using swtpm-native in combination with the qemu-tpm
> > patches to simulate a virtual TPM chip in qemu. The qemu-tpm patches
> > should go into OE-core, but currently usage is a bit cumbersome
> > (requires root privileges and manually starting swtpm before each
> > runqemu invocation), so at this time I only consider the meta-security
> > changes ready and useful enough for merging.
> >
> > Inside the virtual machine I used tpm-tools + trousers to set up
> > sealed keys for EVM, which required fixing a few things.
> >
> > These patches were based on Armin's swtpm+trousers version update
> > series which needs to be merged first to avoid merge conflicts.
> In staging

How often do you promote staging to master? Can this be done soon (like
this week)?

-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.

Re: [meta-security][PATCH v2 0/9] tpm: virtual TPM for qemu

[akuster808]

On 02/14/2017 03:21 AM, Patrick Ohly wrote:
> On Fri, 2017-02-03 at 10:35 -0800, akuster808 wrote:
>> On 2/3/17 12:46 AM, Patrick Ohly wrote:
>>> I recently started using swtpm-native in combination with the qemu-tpm
>>> patches to simulate a virtual TPM chip in qemu. The qemu-tpm patches
>>> should go into OE-core, but currently usage is a bit cumbersome
>>> (requires root privileges and manually starting swtpm before each
>>> runqemu invocation), so at this time I only consider the meta-security
>>> changes ready and useful enough for merging.
>>>
>>> Inside the virtual machine I used tpm-tools + trousers to set up
>>> sealed keys for EVM, which required fixing a few things.
>>>
>>> These patches were based on Armin's swtpm+trousers version update
>>> series which needs to be merged first to avoid merge conflicts.
>> In staging
> How often do you promote staging to master?
usually once I double check things.
> Can this be done soon (like
> this week)?
I am getting build failures on aarch64 I want to investigate, so its 
possible.

- armin