* [PATCH] tcg-storage: add TCG Opal storage security testing workflow
@ 2025-09-19 23:13 Luis Chamberlain
0 siblings, 0 replies; only message in thread
From: Luis Chamberlain @ 2025-09-19 23:13 UTC (permalink / raw)
To: Chuck Lever, Daniel Gomez, kdevops
Cc: Klaus Jensen, Swarna Prabhu, Dongjoo Seo, Luis Chamberlain
Add TCG (Trusted Computing Group) Opal SED (Self-Encrypting Drive)
testing workflow for validating storage security features. This workflow
enables testing of hardware-based full disk encryption capabilities
found in modern NVMe and SATA drives.
Key features:
- TCG Opal 2.0+ compliance testing for self-encrypting drives
- Support for drive provisioning, locking, and unlocking operations
- Integration with sedutil-cli for drive management
- Configurable encryption parameters (Admin1 password, locking ranges)
- Multi-filesystem support (XFS, Btrfs, ext4) on encrypted drives
- A/B testing support for baseline vs development comparisons
- Device capability detection and validation
The workflow validates critical storage security operations:
- Initial drive provisioning with Owner credentials
- Locking range configuration and management
- Power cycle testing to verify encryption persistence
- Performance impact measurement of encryption
- Compatibility testing across different drive models
Defconfigs:
- tcg-storage: Standard TCG Opal testing configuration
Note that Qemu lacks TCG Opal support, however if work is
put in place for that, this can be used to test it.
The real practical use would instead be to use the new declared hosts
feature which enables us to test on bare metal, skipping bringup, you
can use something like this:
make defconfig-tcg-storage-declared-hosts DECLARE_HOSTS=foo TCG_DEVICE=/dev/nvme4n1
Workflow integration follows kdevops patterns:
make defconfig-tcg-storage
make bringup
make tcg-storage # Run TCG Opal tests
make tcg-results # View test results
This enables systematic testing of hardware-based encryption features
critical for data-at-rest protection in enterprise and security-sensitive
environments.
Generated-by: Claude AI
Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>
---
defconfigs/tcg-storage | 27 +++
defconfigs/tcg-storage-declared-hosts | 39 +++
kconfigs/workflows/Kconfig | 31 +++
playbooks/roles/ansible_cfg/defaults/main.yml | 3 +
playbooks/roles/gen_hosts/defaults/main.yml | 3 +
playbooks/roles/gen_hosts/tasks/main.yml | 15 ++
.../templates/workflows/tcg-storage.j2 | 38 +++
playbooks/roles/gen_nodes/defaults/main.yml | 2 +
playbooks/roles/gen_nodes/tasks/main.yml | 35 +++
playbooks/roles/guestfs/defaults/main.yml | 3 +
playbooks/roles/tcg_storage/defaults/main.yml | 28 +++
.../roles/tcg_storage/tasks/baseline.yml | 14 ++
.../roles/tcg_storage/tasks/build_tools.yml | 71 ++++++
.../roles/tcg_storage/tasks/device_info.yml | 65 +++++
.../roles/tcg_storage/tasks/install_deps.yml | 21 ++
playbooks/roles/tcg_storage/tasks/main.yml | 38 +++
.../roles/tcg_storage/tasks/run_tests.yml | 87 +++++++
.../tcg_storage/tasks/test_locking_ranges.yml | 89 +++++++
.../roles/tcg_storage/tasks/test_revert.yml | 80 +++++++
.../tcg_storage/tasks/test_take_ownership.yml | 57 +++++
.../roles/tcg_storage/tasks/tools_info.yml | 46 ++++
.../tcg_storage/templates/test_config.yaml.j2 | 28 +++
playbooks/tcg-storage.yml | 16 ++
workflows/Makefile | 4 +
workflows/tcg-storage/Kconfig | 186 +++++++++++++++
workflows/tcg-storage/Makefile | 200 ++++++++++++++++
workflows/tcg-storage/README.md | 222 ++++++++++++++++++
.../device_report_debian13-tcg-storage.txt | 9 +
.../tcg-storage/scripts/check_tcg_device.sh | 44 ++++
.../tcg-storage/scripts/run_kernel_ci.sh | 40 ++++
.../tcg-storage/scripts/run_kernel_ci_kotd.sh | 44 ++++
31 files changed, 1585 insertions(+)
create mode 100644 defconfigs/tcg-storage
create mode 100644 defconfigs/tcg-storage-declared-hosts
create mode 100644 playbooks/roles/gen_hosts/templates/workflows/tcg-storage.j2
create mode 100644 playbooks/roles/tcg_storage/defaults/main.yml
create mode 100644 playbooks/roles/tcg_storage/tasks/baseline.yml
create mode 100644 playbooks/roles/tcg_storage/tasks/build_tools.yml
create mode 100644 playbooks/roles/tcg_storage/tasks/device_info.yml
create mode 100644 playbooks/roles/tcg_storage/tasks/install_deps.yml
create mode 100644 playbooks/roles/tcg_storage/tasks/main.yml
create mode 100644 playbooks/roles/tcg_storage/tasks/run_tests.yml
create mode 100644 playbooks/roles/tcg_storage/tasks/test_locking_ranges.yml
create mode 100644 playbooks/roles/tcg_storage/tasks/test_revert.yml
create mode 100644 playbooks/roles/tcg_storage/tasks/test_take_ownership.yml
create mode 100644 playbooks/roles/tcg_storage/tasks/tools_info.yml
create mode 100644 playbooks/roles/tcg_storage/templates/test_config.yaml.j2
create mode 100644 playbooks/tcg-storage.yml
create mode 100644 workflows/tcg-storage/Kconfig
create mode 100644 workflows/tcg-storage/Makefile
create mode 100644 workflows/tcg-storage/README.md
create mode 100644 workflows/tcg-storage/results/device_report_debian13-tcg-storage.txt
create mode 100755 workflows/tcg-storage/scripts/check_tcg_device.sh
create mode 100755 workflows/tcg-storage/scripts/run_kernel_ci.sh
create mode 100755 workflows/tcg-storage/scripts/run_kernel_ci_kotd.sh
diff --git a/defconfigs/tcg-storage b/defconfigs/tcg-storage
new file mode 100644
index 00000000..10dc8eb7
--- /dev/null
+++ b/defconfigs/tcg-storage
@@ -0,0 +1,27 @@
+# TCG Storage testing configuration
+CONFIG_LIBVIRT=y
+CONFIG_LIBVIRT_DYNAMIC=y
+CONFIG_LIBVIRT_HOST_PREFIX="tcg"
+CONFIG_LIBVIRT_MEM_START=4096
+CONFIG_LIBVIRT_MEM_END=4096
+CONFIG_LIBVIRT_VCPUS_START=4
+CONFIG_LIBVIRT_VCPUS_END=4
+
+# Workflow selection
+CONFIG_WORKFLOWS=y
+CONFIG_WORKFLOWS_TESTS=y
+CONFIG_WORKFLOWS_LINUX_TESTS=y
+CONFIG_WORKFLOWS_DEDICATED_WORKFLOW=y
+CONFIG_KDEVOPS_WORKFLOW_DEDICATE_TCG_STORAGE=y
+CONFIG_KDEVOPS_WORKFLOW_ENABLE_TCG_STORAGE=y
+
+# TCG Storage specific options
+CONFIG_TCG_STORAGE_RUN_UNIT_TESTS=y
+# For virtual testing with NVMe
+CONFIG_TCG_STORAGE_TEST_DEVICE="/dev/nvme0n1"
+CONFIG_TCG_STORAGE_TEST_DEVICE_TYPE="nvme"
+
+# Storage options for test VM - use NVMe
+CONFIG_LIBVIRT_EXTRA_STORAGE_DRIVE_COUNT=1
+CONFIG_LIBVIRT_EXTRA_STORAGE_DRIVE_NVME=y
+CONFIG_LIBVIRT_EXTRA_STORAGE_DRIVE_SIZE=10240
\ No newline at end of file
diff --git a/defconfigs/tcg-storage-declared-hosts b/defconfigs/tcg-storage-declared-hosts
new file mode 100644
index 00000000..14ac034b
--- /dev/null
+++ b/defconfigs/tcg-storage-declared-hosts
@@ -0,0 +1,39 @@
+#
+# TCG Storage testing with declared hosts (bare metal or pre-existing infrastructure)
+#
+# Usage:
+# make defconfig-tcg-storage-declared-hosts DECLARE_HOSTS=foo TCG_DEVICE=/dev/nvme0n1
+# make
+# make tcg-storage
+#
+CONFIG_WORKFLOWS=y
+CONFIG_WORKFLOWS_TESTS=y
+CONFIG_WORKFLOWS_LINUX_TESTS=y
+CONFIG_WORKFLOWS_DEDICATED_WORKFLOW=y
+CONFIG_KDEVOPS_WORKFLOW_DEDICATE_TCG_STORAGE=y
+CONFIG_KDEVOPS_WORKFLOW_ENABLE_TCG_STORAGE=y
+
+# Skip bringup for declared hosts - we're using existing systems
+CONFIG_SKIP_BRINGUP=y
+CONFIG_KDEVOPS_USE_DECLARED_HOSTS=y
+
+# TCG Storage testing options
+CONFIG_TCG_STORAGE_GITHUB_URL="https://github.com/open-source-firmware/go-tcg-storage"
+CONFIG_TCG_STORAGE_BRANCH="main"
+
+# Device configuration - will be overridden by TCG_DEVICE variable
+CONFIG_TCG_STORAGE_TEST_DEVICE="/dev/nvme0n1"
+CONFIG_TCG_STORAGE_TEST_DEVICE_TYPE="nvme"
+CONFIG_TCG_STORAGE_TEST_PASSWORD="testpassword123"
+
+# Enable both unit and integration tests for real hardware
+CONFIG_TCG_STORAGE_RUN_UNIT_TESTS=y
+CONFIG_TCG_STORAGE_RUN_INTEGRATION_TESTS=y
+
+# Enable all TCG test types for real hardware
+CONFIG_TCG_STORAGE_TEST_TAKE_OWNERSHIP=y
+CONFIG_TCG_STORAGE_TEST_LOCKING_RANGES=y
+# Be careful with revert on real hardware
+CONFIG_TCG_STORAGE_TEST_REVERT=n
+
+CONFIG_TCG_STORAGE_RESULTS_DIR="workflows/tcg-storage/results"
\ No newline at end of file
diff --git a/kconfigs/workflows/Kconfig b/kconfigs/workflows/Kconfig
index 1be04c9c..1ae0bf67 100644
--- a/kconfigs/workflows/Kconfig
+++ b/kconfigs/workflows/Kconfig
@@ -248,6 +248,15 @@ config KDEVOPS_WORKFLOW_DEDICATE_BUILD_LINUX
This will dedicate your configuration to running only the
build-linux workflow for repeated Linux kernel builds.
+config KDEVOPS_WORKFLOW_DEDICATE_TCG_STORAGE
+ bool "tcg-storage"
+ depends on !KDEVOPS_USE_DECLARED_HOSTS
+ select KDEVOPS_WORKFLOW_ENABLE_TCG_STORAGE
+ help
+ This will dedicate your configuration to running only the
+ TCG storage workflow for testing TCG/OPAL functionality on
+ self-encrypting drives.
+
endchoice
config KDEVOPS_WORKFLOW_NAME
@@ -267,6 +276,7 @@ config KDEVOPS_WORKFLOW_NAME
default "ai" if KDEVOPS_WORKFLOW_DEDICATE_AI
default "minio" if KDEVOPS_WORKFLOW_DEDICATE_MINIO
default "build-linux" if KDEVOPS_WORKFLOW_DEDICATE_BUILD_LINUX
+ default "tcg-storage" if KDEVOPS_WORKFLOW_DEDICATE_TCG_STORAGE
endif
@@ -395,6 +405,16 @@ config KDEVOPS_WORKFLOW_NOT_DEDICATED_ENABLE_AI
Select this option if you want to provision AI benchmarks on a
single target node for by-hand testing.
+config KDEVOPS_WORKFLOW_NOT_DEDICATED_ENABLE_TCG_STORAGE
+ bool "tcg-storage"
+ depends on !KDEVOPS_USE_DECLARED_HOSTS
+ select KDEVOPS_WORKFLOW_ENABLE_TCG_STORAGE
+ depends on LIBVIRT || TERRAFORM_PRIVATE_NET
+ help
+ Select this option if you want to provision TCG storage testing on a
+ single target node for testing TCG/OPAL functionality on
+ self-encrypting drives.
+
endif # !WORKFLOWS_DEDICATED_WORKFLOW
config KDEVOPS_WORKFLOW_ENABLE_FSTESTS
@@ -552,6 +572,17 @@ source "workflows/build-linux/Kconfig"
endmenu
endif # KDEVOPS_WORKFLOW_ENABLE_BUILD_LINUX
+config KDEVOPS_WORKFLOW_ENABLE_TCG_STORAGE
+ bool
+ output yaml
+ default y if KDEVOPS_WORKFLOW_NOT_DEDICATED_ENABLE_TCG_STORAGE || KDEVOPS_WORKFLOW_DEDICATE_TCG_STORAGE
+
+if KDEVOPS_WORKFLOW_ENABLE_TCG_STORAGE
+menu "Configure and run TCG storage tests"
+source "workflows/tcg-storage/Kconfig"
+endmenu
+endif # KDEVOPS_WORKFLOW_ENABLE_TCG_STORAGE
+
config KDEVOPS_WORKFLOW_ENABLE_SSD_STEADY_STATE
bool "Attain SSD steady state prior to tests"
output yaml
diff --git a/playbooks/roles/ansible_cfg/defaults/main.yml b/playbooks/roles/ansible_cfg/defaults/main.yml
index e01de2f4..92fe4198 100644
--- a/playbooks/roles/ansible_cfg/defaults/main.yml
+++ b/playbooks/roles/ansible_cfg/defaults/main.yml
@@ -1,4 +1,7 @@
---
+ansible_cfg_file: "{{ topdir_path | default(playbook_dir | dirname) }}/ansible.cfg"
+topdir_path: "{{ playbook_dir | dirname }}"
+ansible_cfg_inventory: "{{ topdir_path | default(playbook_dir | dirname) }}/hosts"
ansible_cfg_deprecation_warnings: true
ansible_cfg_callback_plugin_string: dense
ansible_cfg_callback_plugin_check_mode_markers: false
diff --git a/playbooks/roles/gen_hosts/defaults/main.yml b/playbooks/roles/gen_hosts/defaults/main.yml
index b0b59542..4f12d81f 100644
--- a/playbooks/roles/gen_hosts/defaults/main.yml
+++ b/playbooks/roles/gen_hosts/defaults/main.yml
@@ -1,5 +1,6 @@
# SPDX-License-Identifier GPL-2.0+
---
+ansible_cfg_inventory: "{{ topdir_path | default(playbook_dir | dirname) }}/hosts"
topdir_path: "/dev/null"
hosts_type_generic: true
@@ -30,6 +31,8 @@ kdevops_workflow_enable_sysbench: false
kdevops_workflow_enable_fio_tests: false
kdevops_workflow_enable_mmtests: false
kdevops_workflow_enable_ai: false
+kdevops_workflow_enable_minio: false
+kdevops_workflow_enable_tcg_storage: false
workflows_reboot_limit: false
kdevops_use_declared_hosts: false
diff --git a/playbooks/roles/gen_hosts/tasks/main.yml b/playbooks/roles/gen_hosts/tasks/main.yml
index c4599e4e..ae37f939 100644
--- a/playbooks/roles/gen_hosts/tasks/main.yml
+++ b/playbooks/roles/gen_hosts/tasks/main.yml
@@ -270,6 +270,21 @@
- ansible_hosts_template.stat.exists
- not kdevops_use_declared_hosts|default(false)|bool
+- name: Generate the Ansible hosts file for a dedicated TCG Storage setup
+ tags: ['hosts']
+ ansible.builtin.template:
+ src: "{{ kdevops_hosts_template }}"
+ dest: "{{ ansible_cfg_inventory }}"
+ force: true
+ trim_blocks: True
+ lstrip_blocks: True
+ mode: '0644'
+ when:
+ - kdevops_workflows_dedicated_workflow
+ - kdevops_workflow_enable_tcg_storage|default(false)|bool
+ - ansible_hosts_template.stat.exists
+ - not kdevops_use_declared_hosts|default(false)|bool
+
- name: Verify if final host file exists
ansible.builtin.stat:
path: "{{ ansible_cfg_inventory }}"
diff --git a/playbooks/roles/gen_hosts/templates/workflows/tcg-storage.j2 b/playbooks/roles/gen_hosts/templates/workflows/tcg-storage.j2
new file mode 100644
index 00000000..78541021
--- /dev/null
+++ b/playbooks/roles/gen_hosts/templates/workflows/tcg-storage.j2
@@ -0,0 +1,38 @@
+{#
+TCG Storage workflow hosts template
+
+This template generates the Ansible hosts file for the TCG Storage testing workflow.
+It supports both single node and baseline/dev (A/B testing) configurations.
+#}
+[all]
+localhost ansible_connection=local
+{{ kdevops_host_prefix }}-tcg-storage
+{% if kdevops_baseline_and_dev %}
+{{ kdevops_host_prefix }}-tcg-storage-dev
+{% endif %}
+
+[all:vars]
+ansible_python_interpreter = "{{ kdevops_python_interpreter }}"
+
+[baseline]
+{{ kdevops_host_prefix }}-tcg-storage
+
+[baseline:vars]
+ansible_python_interpreter = "{{ kdevops_python_interpreter }}"
+
+{% if kdevops_baseline_and_dev %}
+[dev]
+{{ kdevops_host_prefix }}-tcg-storage-dev
+
+[dev:vars]
+ansible_python_interpreter = "{{ kdevops_python_interpreter }}"
+
+{% endif %}
+[tcg-storage]
+{{ kdevops_host_prefix }}-tcg-storage
+{% if kdevops_baseline_and_dev %}
+{{ kdevops_host_prefix }}-tcg-storage-dev
+{% endif %}
+
+[tcg-storage:vars]
+ansible_python_interpreter = "{{ kdevops_python_interpreter }}"
\ No newline at end of file
diff --git a/playbooks/roles/gen_nodes/defaults/main.yml b/playbooks/roles/gen_nodes/defaults/main.yml
index c2004eb4..b30394c3 100644
--- a/playbooks/roles/gen_nodes/defaults/main.yml
+++ b/playbooks/roles/gen_nodes/defaults/main.yml
@@ -13,6 +13,8 @@ kdevops_workflow_enable_selftests: false
kdevops_workflow_enable_mmtests: false
kdevops_workflow_enable_fio_tests: false
kdevops_workflow_enable_ai: false
+kdevops_workflow_enable_minio: false
+kdevops_workflow_enable_tcg_storage: false
kdevops_nfsd_enable: false
kdevops_smbd_enable: false
kdevops_krb5_enable: false
diff --git a/playbooks/roles/gen_nodes/tasks/main.yml b/playbooks/roles/gen_nodes/tasks/main.yml
index 716c8ec0..2216588e 100644
--- a/playbooks/roles/gen_nodes/tasks/main.yml
+++ b/playbooks/roles/gen_nodes/tasks/main.yml
@@ -906,6 +906,41 @@
- kdevops_baseline_and_dev
- not minio_enable_multifs_testing|default(false)|bool
+# TCG Storage nodes
+- name: Generate the TCG Storage kdevops nodes file using {{ kdevops_nodes_template }} as jinja2 source template
+ tags: ['hosts']
+ vars:
+ node_template: "{{ kdevops_nodes_template | basename }}"
+ nodes: "{{ [kdevops_host_prefix + '-tcg-storage'] }}"
+ all_generic_nodes: "{{ [kdevops_host_prefix + '-tcg-storage'] }}"
+ ansible.builtin.template:
+ src: "{{ node_template }}"
+ dest: "{{ topdir_path }}/{{ kdevops_nodes }}"
+ force: true
+ mode: '0644'
+ when:
+ - kdevops_workflows_dedicated_workflow
+ - kdevops_workflow_enable_tcg_storage|default(false)|bool
+ - ansible_nodes_template.stat.exists
+ - not kdevops_baseline_and_dev
+
+- name: Generate the TCG Storage kdevops nodes file with dev hosts using {{ kdevops_nodes_template }} as jinja2 source template
+ tags: ['hosts']
+ vars:
+ node_template: "{{ kdevops_nodes_template | basename }}"
+ nodes: "{{ [kdevops_host_prefix + '-tcg-storage', kdevops_host_prefix + '-tcg-storage-dev'] }}"
+ all_generic_nodes: "{{ [kdevops_host_prefix + '-tcg-storage', kdevops_host_prefix + '-tcg-storage-dev'] }}"
+ ansible.builtin.template:
+ src: "{{ node_template }}"
+ dest: "{{ topdir_path }}/{{ kdevops_nodes }}"
+ force: true
+ mode: '0644'
+ when:
+ - kdevops_workflows_dedicated_workflow
+ - kdevops_workflow_enable_tcg_storage|default(false)|bool
+ - ansible_nodes_template.stat.exists
+ - kdevops_baseline_and_dev
+
# Build-linux workflow nodes
# Multi-filesystem Build-linux configurations
diff --git a/playbooks/roles/guestfs/defaults/main.yml b/playbooks/roles/guestfs/defaults/main.yml
index bb77f541..d6c230eb 100644
--- a/playbooks/roles/guestfs/defaults/main.yml
+++ b/playbooks/roles/guestfs/defaults/main.yml
@@ -1,6 +1,9 @@
---
distro_debian_based: false
+virtbuilder_os_version: "debian-13-generic-amd64-daily"
libvirt_uri_system: false
libvirt_enable_largeio: false
bootlinux_9p: false
+kdevops_workflow_enable_minio: false
+kdevops_workflow_enable_tcg_storage: false
diff --git a/playbooks/roles/tcg_storage/defaults/main.yml b/playbooks/roles/tcg_storage/defaults/main.yml
new file mode 100644
index 00000000..365eb380
--- /dev/null
+++ b/playbooks/roles/tcg_storage/defaults/main.yml
@@ -0,0 +1,28 @@
+---
+# TCG Storage testing defaults
+
+# Test configuration
+tcg_storage_test_device: "/dev/nvme0n1"
+tcg_storage_test_device_type: "nvme"
+tcg_storage_test_password: "debug"
+
+# Repository configuration
+tcg_storage_use_local: false
+tcg_storage_local_path: "{{ topdir_path }}/go-tcg-storage"
+tcg_storage_github_url: "https://github.com/open-source-firmware/go-tcg-storage.git"
+tcg_storage_branch: "main"
+
+# Test options
+run_unit_tests: false
+run_integration_tests: false
+test_take_ownership: false
+test_locking_ranges: false
+test_revert: false
+
+# Paths
+tcg_storage_dir: "{{ data_path | default('/tmp') }}/go-tcg-storage"
+tcg_storage_results_dir: "{{ topdir_path }}/workflows/tcg-storage/results"
+tcg_storage_bin_dir: "/usr/local/bin"
+
+# Test configuration template variables
+tcg_test_config_file: "{{ tcg_storage_dir }}/test-config.yaml"
\ No newline at end of file
diff --git a/playbooks/roles/tcg_storage/tasks/baseline.yml b/playbooks/roles/tcg_storage/tasks/baseline.yml
new file mode 100644
index 00000000..9aba9f93
--- /dev/null
+++ b/playbooks/roles/tcg_storage/tasks/baseline.yml
@@ -0,0 +1,14 @@
+---
+# Establish baseline for TCG Storage tests
+
+- name: Include test running tasks
+ ansible.builtin.include_tasks: run_tests.yml
+
+- name: Mark results as baseline
+ ansible.builtin.copy:
+ content: |
+ Baseline established at: {{ ansible_date_time.iso8601 }}
+ Host: {{ inventory_hostname }}
+ Kernel: {{ ansible_kernel }}
+ dest: "{{ tcg_storage_results_dir }}/baseline_info_{{ inventory_hostname }}.txt"
+ delegate_to: localhost
\ No newline at end of file
diff --git a/playbooks/roles/tcg_storage/tasks/build_tools.yml b/playbooks/roles/tcg_storage/tasks/build_tools.yml
new file mode 100644
index 00000000..e32cb4b9
--- /dev/null
+++ b/playbooks/roles/tcg_storage/tasks/build_tools.yml
@@ -0,0 +1,71 @@
+---
+# Build TCG Storage tools
+
+- name: Create TCG storage directory
+ ansible.builtin.file:
+ path: "{{ tcg_storage_dir }}"
+ state: directory
+ mode: '0755'
+
+- name: Clone or update go-tcg-storage repository
+ block:
+ - name: Check if using local repository
+ ansible.builtin.stat:
+ path: "{{ tcg_storage_local_path }}"
+ register: local_repo
+ when: tcg_storage_use_local|bool
+
+ - name: Copy local repository
+ ansible.builtin.copy:
+ src: "{{ tcg_storage_local_path }}/"
+ dest: "{{ tcg_storage_dir }}/"
+ mode: preserve
+ when:
+ - tcg_storage_use_local|bool
+ - local_repo.stat.exists
+
+ - name: Clone repository from GitHub
+ ansible.builtin.git:
+ repo: "{{ tcg_storage_github_url }}"
+ dest: "{{ tcg_storage_dir }}"
+ version: "{{ tcg_storage_branch }}"
+ force: yes
+ when: not tcg_storage_use_local|bool
+
+- name: Build TCG storage tools
+ ansible.builtin.command: "go build -o {{ item.binary }} ./cmd/{{ item.cmd }}"
+ args:
+ chdir: "{{ tcg_storage_dir }}"
+ creates: "{{ tcg_storage_dir }}/{{ item.binary }}"
+ loop:
+ - { cmd: "sedlockctl", binary: "sedlockctl" }
+ - { cmd: "tcgsdiag", binary: "tcgsdiag" }
+ - { cmd: "tcgdiskstat", binary: "tcgdiskstat" }
+ register: build_result
+
+- name: Install TCG storage tools
+ ansible.builtin.copy:
+ src: "{{ tcg_storage_dir }}/{{ item }}"
+ dest: "{{ tcg_storage_bin_dir }}/{{ item }}"
+ mode: '0755'
+ remote_src: yes
+ become: yes
+ loop:
+ - sedlockctl
+ - tcgsdiag
+ - tcgdiskstat
+
+- name: Verify tool installation
+ ansible.builtin.command: "{{ item }} --version"
+ loop:
+ - sedlockctl
+ - tcgsdiag
+ - tcgdiskstat
+ changed_when: false
+ failed_when: false
+ register: tool_verification
+
+- name: Display tool verification results
+ ansible.builtin.debug:
+ msg: "{{ item.item }}: {{ 'OK' if item.rc == 0 else 'FAILED' }}"
+ loop: "{{ tool_verification.results }}"
\ No newline at end of file
diff --git a/playbooks/roles/tcg_storage/tasks/device_info.yml b/playbooks/roles/tcg_storage/tasks/device_info.yml
new file mode 100644
index 00000000..77dad76f
--- /dev/null
+++ b/playbooks/roles/tcg_storage/tasks/device_info.yml
@@ -0,0 +1,65 @@
+---
+# Get TCG device information
+
+- name: Check if test device exists
+ ansible.builtin.stat:
+ path: "{{ tcg_storage_test_device }}"
+ register: device_stat
+
+- name: Warn if device doesn't exist
+ ansible.builtin.debug:
+ msg: |
+ WARNING: Device {{ tcg_storage_test_device }} does not exist.
+ This is expected in virtual environments without NVMe passthrough.
+ Only unit tests will work. Integration tests require real TCG/Opal hardware.
+ when: not device_stat.stat.exists
+
+- name: Get device TCG/OPAL information
+ ansible.builtin.command: tcgsdiag info {{ tcg_storage_test_device }}
+ register: tcg_info
+ become: yes
+ failed_when: false
+ when: device_stat.stat.exists
+
+- name: Get device disk statistics
+ ansible.builtin.command: tcgdiskstat {{ tcg_storage_test_device }}
+ register: disk_stats
+ become: yes
+ failed_when: false
+ when: device_stat.stat.exists
+
+- name: Display device information
+ ansible.builtin.debug:
+ msg: |
+ TCG Device Information for {{ tcg_storage_test_device }}:
+ =========================================
+ {% if device_stat.stat.exists %}
+ TCG/OPAL Support:
+ {{ tcg_info.stdout|default('Unable to get TCG information') }}
+
+ Disk Statistics:
+ {{ disk_stats.stdout|default('Unable to get disk statistics') }}
+ {% else %}
+ Device does not exist - running in virtual environment.
+ Only unit tests are available.
+ {% endif %}
+
+- name: Save device information to results
+ ansible.builtin.copy:
+ content: |
+ Device: {{ tcg_storage_test_device }}
+ Date: {{ ansible_date_time.iso8601 }}
+ Host: {{ inventory_hostname }}
+
+ {% if device_stat.stat.exists %}
+ TCG/OPAL Information:
+ {{ tcg_info.stdout|default('Unable to get TCG information') }}
+
+ Disk Statistics:
+ {{ disk_stats.stdout|default('Unable to get disk statistics') }}
+ {% else %}
+ Device Status: Not found - virtual environment detected
+ Note: Only unit tests available, integration tests require real hardware
+ {% endif %}
+ dest: "{{ tcg_storage_results_dir }}/device_report_{{ inventory_hostname }}.txt"
+ delegate_to: localhost
\ No newline at end of file
diff --git a/playbooks/roles/tcg_storage/tasks/install_deps.yml b/playbooks/roles/tcg_storage/tasks/install_deps.yml
new file mode 100644
index 00000000..168a7fe2
--- /dev/null
+++ b/playbooks/roles/tcg_storage/tasks/install_deps.yml
@@ -0,0 +1,21 @@
+---
+# Install dependencies for TCG Storage testing
+
+- name: Install system dependencies including Go
+ ansible.builtin.package:
+ name:
+ - golang
+ - git
+ - gcc
+ - make
+ state: present
+ become: yes
+
+- name: Install TCG/OPAL specific dependencies
+ ansible.builtin.package:
+ name:
+ - sed-opal-unlocker
+ - libblockdev-crypto
+ state: present
+ become: yes
+ failed_when: false # These packages might not be available on all distros
\ No newline at end of file
diff --git a/playbooks/roles/tcg_storage/tasks/main.yml b/playbooks/roles/tcg_storage/tasks/main.yml
new file mode 100644
index 00000000..2b7836b4
--- /dev/null
+++ b/playbooks/roles/tcg_storage/tasks/main.yml
@@ -0,0 +1,38 @@
+---
+# Main tasks for TCG Storage testing
+
+- name: Install dependencies
+ ansible.builtin.include_tasks: install_deps.yml
+ tags: [deps]
+
+- name: Build TCG storage tools
+ ansible.builtin.include_tasks: build_tools.yml
+ tags: [build]
+
+- name: Run TCG storage tests
+ ansible.builtin.include_tasks: run_tests.yml
+ tags: [run_tests]
+
+- name: Establish baseline
+ ansible.builtin.include_tasks: baseline.yml
+ tags: [baseline]
+
+- name: Show tools information
+ ansible.builtin.include_tasks: tools_info.yml
+ tags: [tools_info]
+
+- name: Show device information
+ ansible.builtin.include_tasks: device_info.yml
+ tags: [device_info]
+
+- name: Test take ownership
+ ansible.builtin.include_tasks: test_take_ownership.yml
+ tags: [take_ownership]
+
+- name: Test locking ranges
+ ansible.builtin.include_tasks: test_locking_ranges.yml
+ tags: [locking_ranges]
+
+- name: Test device revert
+ ansible.builtin.include_tasks: test_revert.yml
+ tags: [revert]
\ No newline at end of file
diff --git a/playbooks/roles/tcg_storage/tasks/run_tests.yml b/playbooks/roles/tcg_storage/tasks/run_tests.yml
new file mode 100644
index 00000000..f901833f
--- /dev/null
+++ b/playbooks/roles/tcg_storage/tasks/run_tests.yml
@@ -0,0 +1,87 @@
+---
+# Run TCG Storage tests
+
+- name: Create results directory
+ ansible.builtin.file:
+ path: "{{ tcg_storage_results_dir }}"
+ state: directory
+ mode: '0755'
+ delegate_to: localhost
+ run_once: true
+
+- name: Generate test configuration
+ ansible.builtin.template:
+ src: test_config.yaml.j2
+ dest: "{{ tcg_test_config_file }}"
+ mode: '0644'
+
+- name: Run unit tests
+ block:
+ - name: Execute unit tests
+ ansible.builtin.shell: |
+ # Run all unit tests (without integration tag)
+ go test -v ./... 2>&1 || true
+ args:
+ chdir: "{{ tcg_storage_dir }}"
+ register: unit_test_results
+ ignore_errors: yes
+
+ - name: Save unit test results
+ ansible.builtin.copy:
+ content: "{{ unit_test_results.stdout | default('No unit test output') }}"
+ dest: "{{ tcg_storage_results_dir }}/unit_tests_{{ inventory_hostname }}.txt"
+ delegate_to: localhost
+ when: run_unit_tests|bool
+
+- name: Run integration tests
+ block:
+ - name: Check if test device exists
+ ansible.builtin.stat:
+ path: "{{ tcg_storage_test_device }}"
+ register: test_device_stat
+
+ - name: Fail if test device doesn't exist
+ ansible.builtin.fail:
+ msg: "Test device {{ tcg_storage_test_device }} does not exist"
+ when: not test_device_stat.stat.exists
+
+ - name: Get device TCG/OPAL support info
+ ansible.builtin.command: tcgsdiag {{ tcg_storage_test_device }}
+ register: device_info
+ become: yes
+ ignore_errors: yes
+
+ - name: Try alternative tcgdiskstat for device info if tcgsdiag fails
+ ansible.builtin.command: tcgdiskstat {{ tcg_storage_test_device }}
+ register: device_info_alt
+ become: yes
+ ignore_errors: yes
+ when: device_info.rc != 0
+
+ - name: Save device info
+ ansible.builtin.copy:
+ content: "{{ device_info.stdout if device_info.rc == 0 else device_info_alt.stdout | default('Device info not available') }}"
+ dest: "{{ tcg_storage_results_dir }}/device_info_{{ inventory_hostname }}.txt"
+ delegate_to: localhost
+
+ - name: Run integration test suite
+ ansible.builtin.shell: |
+ # Find and run all test files with integration build tag
+ go test -v -tags integration ./... 2>&1 || true
+ args:
+ chdir: "{{ tcg_storage_dir }}"
+ environment:
+ TCG_TEST_DEVICE: "{{ tcg_storage_test_device }}"
+ TCG_TEST_PASSWORD: "{{ tcg_storage_test_password }}"
+ TCG_DEVICE: "{{ tcg_storage_test_device }}"
+ TCG_PASSWORD: "{{ tcg_storage_test_password }}"
+ register: integration_test_results
+ become: yes
+ ignore_errors: yes
+
+ - name: Save integration test results
+ ansible.builtin.copy:
+ content: "{{ integration_test_results.stdout }}"
+ dest: "{{ tcg_storage_results_dir }}/integration_tests_{{ inventory_hostname }}.txt"
+ delegate_to: localhost
+ when: run_integration_tests|bool
\ No newline at end of file
diff --git a/playbooks/roles/tcg_storage/tasks/test_locking_ranges.yml b/playbooks/roles/tcg_storage/tasks/test_locking_ranges.yml
new file mode 100644
index 00000000..fe6f672f
--- /dev/null
+++ b/playbooks/roles/tcg_storage/tasks/test_locking_ranges.yml
@@ -0,0 +1,89 @@
+---
+# Test locking range operations
+
+- name: Check device exists
+ ansible.builtin.stat:
+ path: "{{ tcg_storage_test_device }}"
+ register: device_stat
+
+- name: Fail if device doesn't exist
+ ansible.builtin.fail:
+ msg: "Device {{ tcg_storage_test_device }} does not exist"
+ when: not device_stat.stat.exists
+
+- name: Test locking range operations
+ block:
+ - name: List current ranges
+ ansible.builtin.command: >
+ sedlockctl --password {{ tcg_storage_test_password }}
+ {{ tcg_storage_test_device }} list
+ register: list_ranges_result
+ become: yes
+ ignore_errors: yes
+
+ - name: Lock all ranges
+ ansible.builtin.command: >
+ sedlockctl --password {{ tcg_storage_test_password }}
+ {{ tcg_storage_test_device }} lock-all
+ register: lock_result
+ become: yes
+ ignore_errors: yes
+
+ - name: Get status after lock
+ ansible.builtin.command: >
+ sedlockctl --password {{ tcg_storage_test_password }}
+ {{ tcg_storage_test_device }} list
+ register: lock_status
+ become: yes
+ ignore_errors: yes
+
+ - name: Unlock all ranges
+ ansible.builtin.command: >
+ sedlockctl --password {{ tcg_storage_test_password }}
+ {{ tcg_storage_test_device }} unlock-all
+ register: unlock_result
+ become: yes
+ ignore_errors: yes
+
+ - name: Get final status
+ ansible.builtin.command: >
+ sedlockctl --password {{ tcg_storage_test_password }}
+ {{ tcg_storage_test_device }} list
+ register: final_status
+ become: yes
+ ignore_errors: yes
+
+ - name: Save locking range test results
+ ansible.builtin.copy:
+ content: |
+ Locking Range Test Results
+ ==========================
+ Date: {{ ansible_date_time.iso8601 }}
+ Host: {{ inventory_hostname }}
+ Device: {{ tcg_storage_test_device }}
+
+ List Ranges Output:
+ {{ list_ranges_result.stdout | default('No output') }}
+
+ Lock Operation:
+ {{ lock_result.stdout | default('No output') }}
+
+ Status After Lock:
+ {{ lock_status.stdout | default('No output') }}
+
+ Unlock Operation:
+ {{ unlock_result.stdout | default('No output') }}
+
+ Final Status:
+ {{ final_status.stdout | default('No output') }}
+ dest: "{{ tcg_storage_results_dir }}/locking_range_test_{{ inventory_hostname }}.txt"
+ delegate_to: localhost
+
+ - name: Display test results
+ ansible.builtin.debug:
+ msg: |
+ Locking range test completed.
+ List: {{ 'SUCCESS' if list_ranges_result.rc == 0 else 'FAILED' }}
+ Lock: {{ 'SUCCESS' if lock_result.rc == 0 else 'FAILED' }}
+ Unlock: {{ 'SUCCESS' if unlock_result.rc == 0 else 'FAILED' }}
+ when: test_locking_ranges|bool
\ No newline at end of file
diff --git a/playbooks/roles/tcg_storage/tasks/test_revert.yml b/playbooks/roles/tcg_storage/tasks/test_revert.yml
new file mode 100644
index 00000000..b41d8e78
--- /dev/null
+++ b/playbooks/roles/tcg_storage/tasks/test_revert.yml
@@ -0,0 +1,80 @@
+---
+# Test device revert operations
+
+- name: Check device exists
+ ansible.builtin.stat:
+ path: "{{ tcg_storage_test_device }}"
+ register: device_stat
+
+- name: Fail if device doesn't exist
+ ansible.builtin.fail:
+ msg: "Device {{ tcg_storage_test_device }} does not exist"
+ when: not device_stat.stat.exists
+
+- name: Test revert operations
+ block:
+ - name: Get initial device status
+ ansible.builtin.command: >
+ sedlockctl status {{ tcg_storage_test_device }}
+ register: initial_status
+ become: yes
+
+ - name: Perform PSID revert (factory reset)
+ ansible.builtin.command: >
+ sedlockctl psid-revert
+ --psid {{ tcg_storage_psid|default('DEFAULT-PSID') }}
+ {{ tcg_storage_test_device }}
+ register: revert_result
+ become: yes
+ when: tcg_storage_psid is defined
+
+ - name: Perform Admin SP revert
+ ansible.builtin.command: >
+ sedlockctl revert
+ --password {{ tcg_storage_test_password }}
+ {{ tcg_storage_test_device }}
+ register: admin_revert_result
+ become: yes
+ when: tcg_storage_psid is not defined
+
+ - name: Get device status after revert
+ ansible.builtin.command: >
+ sedlockctl status {{ tcg_storage_test_device }}
+ register: final_status
+ become: yes
+
+ - name: Save revert test results
+ ansible.builtin.copy:
+ content: |
+ Revert Test Results
+ ===================
+ Date: {{ ansible_date_time.iso8601 }}
+ Host: {{ inventory_hostname }}
+ Device: {{ tcg_storage_test_device }}
+
+ Initial Status:
+ {{ initial_status.stdout }}
+
+ {% if tcg_storage_psid is defined %}
+ PSID Revert Output:
+ {{ revert_result.stdout }}
+ {% else %}
+ Admin SP Revert Output:
+ {{ admin_revert_result.stdout }}
+ {% endif %}
+
+ Final Status:
+ {{ final_status.stdout }}
+ dest: "{{ tcg_storage_results_dir }}/revert_test_{{ inventory_hostname }}.txt"
+ delegate_to: localhost
+
+ - name: Display test results
+ ansible.builtin.debug:
+ msg: |
+ Revert test completed.
+ {% if tcg_storage_psid is defined %}
+ PSID Revert: {{ 'SUCCESS' if revert_result.rc == 0 else 'FAILED' }}
+ {% else %}
+ Admin SP Revert: {{ 'SUCCESS' if admin_revert_result.rc == 0 else 'FAILED' }}
+ {% endif %}
+ when: test_revert|bool
\ No newline at end of file
diff --git a/playbooks/roles/tcg_storage/tasks/test_take_ownership.yml b/playbooks/roles/tcg_storage/tasks/test_take_ownership.yml
new file mode 100644
index 00000000..e2369f85
--- /dev/null
+++ b/playbooks/roles/tcg_storage/tasks/test_take_ownership.yml
@@ -0,0 +1,57 @@
+---
+# Test taking ownership of TCG device
+
+- name: Check device exists
+ ansible.builtin.stat:
+ path: "{{ tcg_storage_test_device }}"
+ register: device_stat
+
+- name: Fail if device doesn't exist
+ ansible.builtin.fail:
+ msg: "Device {{ tcg_storage_test_device }} does not exist"
+ when: not device_stat.stat.exists
+
+- name: Test take ownership operation
+ block:
+ - name: Note about take-ownership
+ ansible.builtin.debug:
+ msg: "Note: sedlockctl doesn't have a take-ownership command. Testing list functionality instead."
+
+ - name: List device ranges (ownership test alternative)
+ ansible.builtin.command: >
+ sedlockctl --password {{ tcg_storage_test_password }}
+ {{ tcg_storage_test_device }} list
+ register: ownership_result
+ become: yes
+ ignore_errors: yes
+
+ - name: Try device info with tcgdiskstat
+ ansible.builtin.command: >
+ tcgdiskstat {{ tcg_storage_test_device }}
+ register: status_result
+ become: yes
+ ignore_errors: yes
+
+ - name: Save ownership test results
+ ansible.builtin.copy:
+ content: |
+ Take Ownership Test Results
+ ===========================
+ Date: {{ ansible_date_time.iso8601 }}
+ Host: {{ inventory_hostname }}
+ Device: {{ tcg_storage_test_device }}
+
+ Take Ownership Output:
+ {{ ownership_result.stdout }}
+
+ Device Status After:
+ {{ status_result.stdout }}
+ dest: "{{ tcg_storage_results_dir }}/ownership_test_{{ inventory_hostname }}.txt"
+ delegate_to: localhost
+
+ - name: Display test results
+ ansible.builtin.debug:
+ msg: |
+ Take ownership test completed.
+ Result: {{ 'SUCCESS' if ownership_result.rc == 0 else 'FAILED' }}
+ when: test_take_ownership|bool
\ No newline at end of file
diff --git a/playbooks/roles/tcg_storage/tasks/tools_info.yml b/playbooks/roles/tcg_storage/tasks/tools_info.yml
new file mode 100644
index 00000000..5c1f225d
--- /dev/null
+++ b/playbooks/roles/tcg_storage/tasks/tools_info.yml
@@ -0,0 +1,46 @@
+---
+# Display information about TCG storage tools
+
+- name: Check for sedlockctl
+ ansible.builtin.command: which sedlockctl
+ register: sedlockctl_path
+ failed_when: false
+ changed_when: false
+
+- name: Check for tcgsdiag
+ ansible.builtin.command: which tcgsdiag
+ register: tcgsdiag_path
+ failed_when: false
+ changed_when: false
+
+- name: Check for tcgdiskstat
+ ansible.builtin.command: which tcgdiskstat
+ register: tcgdiskstat_path
+ failed_when: false
+ changed_when: false
+
+- name: Get tool versions
+ ansible.builtin.command: "{{ item }} --version"
+ loop:
+ - sedlockctl
+ - tcgsdiag
+ - tcgdiskstat
+ register: tool_versions
+ failed_when: false
+ changed_when: false
+ when: item in [sedlockctl_path.stdout, tcgsdiag_path.stdout, tcgdiskstat_path.stdout]
+
+- name: Display tools information
+ ansible.builtin.debug:
+ msg: |
+ TCG Storage Tools Status:
+ ========================
+ sedlockctl: {{ 'Installed at ' + sedlockctl_path.stdout if sedlockctl_path.rc == 0 else 'Not found' }}
+ tcgsdiag: {{ 'Installed at ' + tcgsdiag_path.stdout if tcgsdiag_path.rc == 0 else 'Not found' }}
+ tcgdiskstat: {{ 'Installed at ' + tcgdiskstat_path.stdout if tcgdiskstat_path.rc == 0 else 'Not found' }}
+
+ {% for result in tool_versions.results %}
+ {% if not result.skipped|default(false) %}
+ {{ result.item }} version: {{ result.stdout|default('Unknown') }}
+ {% endif %}
+ {% endfor %}
\ No newline at end of file
diff --git a/playbooks/roles/tcg_storage/templates/test_config.yaml.j2 b/playbooks/roles/tcg_storage/templates/test_config.yaml.j2
new file mode 100644
index 00000000..d8594ce2
--- /dev/null
+++ b/playbooks/roles/tcg_storage/templates/test_config.yaml.j2
@@ -0,0 +1,28 @@
+# TCG Storage Test Configuration
+# Generated by kdevops for {{ inventory_hostname }}
+# Date: {{ ansible_date_time.iso8601 }}
+
+device:
+ path: {{ tcg_storage_test_device }}
+ type: {{ tcg_storage_test_device_type }}
+
+credentials:
+ admin_password: {{ tcg_storage_test_password }}
+{% if tcg_storage_psid is defined %}
+ psid: {{ tcg_storage_psid }}
+{% endif %}
+
+test_settings:
+ run_unit_tests: {{ run_unit_tests|bool }}
+ run_integration_tests: {{ run_integration_tests|bool }}
+
+test_suites:
+ take_ownership: {{ test_take_ownership|bool }}
+ locking_ranges: {{ test_locking_ranges|bool }}
+ revert: {{ test_revert|bool }}
+
+environment:
+ hostname: {{ inventory_hostname }}
+ kernel: {{ ansible_kernel }}
+ distribution: {{ ansible_distribution }} {{ ansible_distribution_version }}
+ architecture: {{ ansible_architecture }}
\ No newline at end of file
diff --git a/playbooks/tcg-storage.yml b/playbooks/tcg-storage.yml
new file mode 100644
index 00000000..f9258a1f
--- /dev/null
+++ b/playbooks/tcg-storage.yml
@@ -0,0 +1,16 @@
+---
+# TCG Storage testing playbook
+# This playbook manages TCG/OPAL self-encrypting drive testing using the tcg_storage role
+
+- name: TCG Storage testing workflow
+ hosts: baseline:dev
+ become: yes
+ become_method: sudo
+ gather_facts: yes
+ vars:
+ data_path: /data
+ topdir_path: "{{ topdir_path | default(playbook_dir + '/..') }}"
+ roles:
+ - role: tcg_storage
+ tags: ['deps', 'build', 'run_tests', 'baseline', 'tools_info',
+ 'device_info', 'take_ownership', 'locking_ranges', 'revert']
\ No newline at end of file
diff --git a/workflows/Makefile b/workflows/Makefile
index 05c75a2d..4efae3b7 100644
--- a/workflows/Makefile
+++ b/workflows/Makefile
@@ -78,6 +78,10 @@ ifeq (y,$(CONFIG_KDEVOPS_WORKFLOW_ENABLE_BUILD_LINUX))
include workflows/build-linux/Makefile
endif # CONFIG_KDEVOPS_WORKFLOW_ENABLE_BUILD_LINUX == y
+ifeq (y,$(CONFIG_KDEVOPS_WORKFLOW_ENABLE_TCG_STORAGE))
+include workflows/tcg-storage/Makefile
+endif # CONFIG_KDEVOPS_WORKFLOW_ENABLE_TCG_STORAGE == y
+
ANSIBLE_EXTRA_ARGS += $(WORKFLOW_ARGS)
ANSIBLE_EXTRA_ARGS_SEPARATED += $(WORKFLOW_ARGS_SEPARATED)
ANSIBLE_EXTRA_ARGS_DIRECT += $(WORKFLOW_ARGS_DIRECT)
diff --git a/workflows/tcg-storage/Kconfig b/workflows/tcg-storage/Kconfig
new file mode 100644
index 00000000..c83fc85d
--- /dev/null
+++ b/workflows/tcg-storage/Kconfig
@@ -0,0 +1,186 @@
+if KDEVOPS_WORKFLOW_ENABLE_TCG_STORAGE
+
+config HAVE_DISTRO_PREFERS_TCG_STORAGE_WATCHDOG
+ bool
+ default n
+
+config HAVE_DISTRO_PREFERS_TCG_STORAGE_WATCHDOG_KILL
+ bool
+ default n
+
+config HAVE_DISTRO_PREFERS_TCG_STORAGE_WATCHDOG_RESET
+ bool
+ default n
+
+config TCG_STORAGE_TOOLS
+ bool "Install TCG storage tools"
+ default y
+ help
+ This will install the go-tcg-storage tools:
+ - sedlockctl: Tool to manage SED/TCG drives
+ - tcgsdiag: Diagnostic tool for TCG drives
+ - tcgdiskstat: Display TCG drive statistics
+ - gosedctl: Alternative SED control tool
+
+config TCG_STORAGE_GITHUB_URL
+ string "GitHub URL for go-tcg-storage"
+ default "https://github.com/open-source-firmware/go-tcg-storage"
+ help
+ GitHub repository URL for the go-tcg-storage project.
+ You can override this to use a fork or mirror.
+
+config TCG_STORAGE_BRANCH
+ string "Branch to use for go-tcg-storage"
+ default "main"
+ help
+ Branch or tag to checkout from the go-tcg-storage repository.
+
+config TCG_STORAGE_USE_LOCAL
+ bool "Use local go-tcg-storage directory"
+ default n
+ help
+ If enabled, use the local go-tcg-storage directory at
+ ../go-tcg-storage instead of cloning from GitHub.
+ This is useful for development and testing.
+
+config TCG_STORAGE_LOCAL_PATH
+ string "Local path to go-tcg-storage"
+ default "../go-tcg-storage"
+ depends on TCG_STORAGE_USE_LOCAL
+ help
+ Path to the local go-tcg-storage directory.
+ This path is relative to the kdevops root directory.
+
+config TCG_STORAGE_TEST_DEVICE
+ string "Device to use for TCG storage testing"
+ default "/dev/nvme0n1"
+ help
+ The block device to use for TCG storage testing.
+ WARNING: This device should be a test device as tests may
+ modify TCG/OPAL settings on the device.
+
+ For declared hosts (bare metal), you can override this at
+ make time with: TCG_DEVICE=/dev/nvme0n1
+ Common values:
+ - /dev/nvme0n1 for NVMe devices
+ - /dev/sda for SATA devices
+ - /dev/sg0 for SAS devices
+
+config TCG_STORAGE_TEST_DEVICE_TYPE
+ string "Type of storage device"
+ default "nvme"
+ help
+ Type of the storage device being tested.
+ Valid options: nvme, sata, sas
+
+config TCG_STORAGE_TEST_PASSWORD
+ string "Password for TCG operations"
+ default "testpassword123"
+ help
+ Password to use for TCG/OPAL operations during testing.
+ This password will be used for taking ownership and
+ authentication during tests.
+
+config TCG_STORAGE_RUN_UNIT_TESTS
+ bool "Run go-tcg-storage unit tests"
+ default y
+ help
+ Run the unit tests included with go-tcg-storage.
+ These tests verify the library functionality.
+
+config TCG_STORAGE_RUN_INTEGRATION_TESTS
+ bool "Run integration tests on test device"
+ default n
+ help
+ Run integration tests that interact with actual TCG/OPAL devices.
+ WARNING: These tests will modify the TCG state of the test device.
+ Only enable this if you have a dedicated test device.
+
+config TCG_STORAGE_TEST_TAKE_OWNERSHIP
+ bool "Test taking ownership of device"
+ default n
+ depends on TCG_STORAGE_RUN_INTEGRATION_TESTS
+ help
+ Test taking ownership of the TCG device.
+ This will set the Admin1 password on the device.
+
+config TCG_STORAGE_TEST_LOCKING_RANGES
+ bool "Test locking range operations"
+ default n
+ depends on TCG_STORAGE_RUN_INTEGRATION_TESTS
+ help
+ Test creating, modifying, and deleting locking ranges.
+ This will test the locking functionality of the device.
+
+config TCG_STORAGE_TEST_REVERT
+ bool "Test device revert operations"
+ default n
+ depends on TCG_STORAGE_RUN_INTEGRATION_TESTS
+ help
+ Test reverting the device to factory defaults.
+ WARNING: This will erase all TCG configuration on the device.
+
+
+config TCG_STORAGE_WATCHDOG
+ bool "Enable kdevops tcg-storage watchdog"
+ default y if HAVE_DISTRO_PREFERS_TCG_STORAGE_WATCHDOG
+ default n if !HAVE_DISTRO_PREFERS_TCG_STORAGE_WATCHDOG
+ depends on KERNEL_CI
+ help
+ Enable the TCG storage watchdog which monitors test progress
+ and can detect hung tests.
+
+if TCG_STORAGE_WATCHDOG
+
+config TCG_STORAGE_WATCHDOG_CHECK_TIME
+ int "How often to check test status in seconds"
+ default 5
+ help
+ How often to trigger the TCG storage watchdog check, in seconds.
+
+config TCG_STORAGE_WATCHDOG_MAX_TEST_TIME
+ int "Max minutes to wait for a test before assuming a hang"
+ default 30
+ help
+ Maximum time in minutes to wait for a test to complete
+ before assuming it is hung.
+
+config TCG_STORAGE_WATCHDOG_KILL_HUNG_TEST
+ bool "Kill hung tests"
+ default y if HAVE_DISTRO_PREFERS_TCG_STORAGE_WATCHDOG_KILL
+ default n if !HAVE_DISTRO_PREFERS_TCG_STORAGE_WATCHDOG_KILL
+ help
+ If enabled, the watchdog will kill tests that appear to be hung.
+
+config TCG_STORAGE_WATCHDOG_RESET_HUNG_TEST_SYSTEM
+ bool "Reset system with hung tests"
+ default y if HAVE_DISTRO_PREFERS_TCG_STORAGE_WATCHDOG_RESET
+ default n if !HAVE_DISTRO_PREFERS_TCG_STORAGE_WATCHDOG_RESET
+ help
+ If enabled, the watchdog will reset systems that have hung tests.
+ This is useful for automated testing but should be used with caution.
+
+endif # TCG_STORAGE_WATCHDOG
+
+config TCG_STORAGE_RESULTS_DIR
+ string "Directory for test results"
+ default "workflows/tcg-storage/results"
+ help
+ Directory where test results will be stored.
+ Results include test output, logs, and device information.
+
+config TCG_STORAGE_BASELINE
+ bool "Establish baseline for TCG storage tests"
+ default n
+ help
+ Run tests to establish a baseline for TCG storage functionality.
+ This baseline can be used to compare against future test runs.
+
+config TCG_STORAGE_BASELINE_AND_DEV
+ bool "Enable A/B testing for TCG storage"
+ default n
+ help
+ Enable A/B testing mode where tests are run on both baseline
+ and development systems to compare results.
+
+endif # KDEVOPS_WORKFLOW_ENABLE_TCG_STORAGE
\ No newline at end of file
diff --git a/workflows/tcg-storage/Makefile b/workflows/tcg-storage/Makefile
new file mode 100644
index 00000000..f4643ffb
--- /dev/null
+++ b/workflows/tcg-storage/Makefile
@@ -0,0 +1,200 @@
+# TCG Storage workflow Makefile
+#
+# This Makefile provides targets for testing TCG Storage functionality
+# using the go-tcg-storage test suite.
+
+TCG_STORAGE_ARGS :=
+
+ifeq (y,$(CONFIG_KERNEL_CI))
+TCG_STORAGE_KERNEL_CI_LOOP := scripts/workflows/tcg-storage/run_kernel_ci.sh
+TCG_STORAGE_KERNEL_CI_LOOP_KOTD := scripts/workflows/tcg-storage/run_kernel_ci_kotd.sh
+endif
+
+TOPDIR_PATH ?= $(PWD)
+TOPDIR_PATH_ESCAPED = $(shell echo $(TOPDIR_PATH) | sed 's/\//\\\//g')
+TCG_STORAGE_RESULTS_DIR := $(TOPDIR_PATH)/workflows/tcg-storage/results
+
+tcg-storage-help:
+ @echo "TCG Storage testing options:"
+ @echo "tcg-storage - Run TCG storage tests"
+ @echo "tcg-storage-baseline - Establish baseline for TCG storage tests"
+ @echo "tcg-storage-dev - Run tests on development kernel"
+ @echo "tcg-storage-results - Show test results"
+ @echo "tcg-storage-results-full - Show detailed test results"
+ @echo "tcg-storage-clean - Clean test results"
+ @echo "tcg-storage-tools-info - Show information about installed TCG tools"
+ @echo "tcg-storage-device-info - Show information about TCG devices"
+ @echo ""
+ @echo "TCG Storage test configuration:"
+ @echo "tcg-storage-take-ownership - Test taking ownership of TCG device"
+ @echo "tcg-storage-locking-ranges - Test locking range operations"
+ @echo "tcg-storage-revert - Test device revert operations"
+ @echo ""
+
+tcg-storage-menuconfig:
+ @$(Q)make menuconfig
+ @$(Q)echo "TCG Storage configuration saved"
+
+tcg-storage-configure: tcg-storage-menuconfig
+
+# Allow TCG_DEVICE override for declared hosts
+ifdef TCG_DEVICE
+TCG_STORAGE_TEST_ARGS += test_device=$(TCG_DEVICE)
+else
+TCG_STORAGE_TEST_ARGS += test_device=$(CONFIG_TCG_STORAGE_TEST_DEVICE)
+endif
+
+TCG_STORAGE_TEST_ARGS += test_device_type=$(CONFIG_TCG_STORAGE_TEST_DEVICE_TYPE)
+TCG_STORAGE_TEST_ARGS += test_password=$(CONFIG_TCG_STORAGE_TEST_PASSWORD)
+
+ifeq (y,$(CONFIG_TCG_STORAGE_USE_LOCAL))
+TCG_STORAGE_TEST_ARGS += tcg_storage_use_local=true
+TCG_STORAGE_TEST_ARGS += tcg_storage_local_path=$(CONFIG_TCG_STORAGE_LOCAL_PATH)
+else
+TCG_STORAGE_TEST_ARGS += tcg_storage_github_url=$(CONFIG_TCG_STORAGE_GITHUB_URL)
+TCG_STORAGE_TEST_ARGS += tcg_storage_branch=$(CONFIG_TCG_STORAGE_BRANCH)
+endif
+
+ifeq (y,$(CONFIG_TCG_STORAGE_RUN_UNIT_TESTS))
+TCG_STORAGE_TEST_ARGS += run_unit_tests=true
+endif
+
+ifeq (y,$(CONFIG_TCG_STORAGE_RUN_INTEGRATION_TESTS))
+TCG_STORAGE_TEST_ARGS += run_integration_tests=true
+endif
+
+ifeq (y,$(CONFIG_TCG_STORAGE_TEST_TAKE_OWNERSHIP))
+TCG_STORAGE_TEST_ARGS += test_take_ownership=true
+endif
+
+ifeq (y,$(CONFIG_TCG_STORAGE_TEST_LOCKING_RANGES))
+TCG_STORAGE_TEST_ARGS += test_locking_ranges=true
+endif
+
+ifeq (y,$(CONFIG_TCG_STORAGE_TEST_REVERT))
+TCG_STORAGE_TEST_ARGS += test_revert=true
+endif
+
+tcg-storage-build-tools:
+ @echo "Building TCG storage tools..."
+ $(Q)ansible-playbook $(ANSIBLE_VERBOSE) \
+ -f 30 -i hosts playbooks/tcg-storage.yml \
+ --tags build \
+ --extra-vars=@extra_vars.yaml \
+ --extra-vars="$(TCG_STORAGE_TEST_ARGS)"
+
+tcg-storage:
+ @echo "Installing dependencies and running TCG storage tests..."
+ $(Q)ansible-playbook $(ANSIBLE_VERBOSE) \
+ -f 30 -i hosts playbooks/tcg-storage.yml \
+ --tags deps,build,run_tests \
+ --extra-vars=@extra_vars.yaml \
+ --extra-vars="$(TCG_STORAGE_TEST_ARGS)"
+
+tcg-storage-baseline:
+ @echo "Establishing TCG storage baseline..."
+ $(Q)ansible-playbook $(ANSIBLE_VERBOSE) \
+ -f 30 -i hosts playbooks/tcg-storage.yml \
+ --tags baseline \
+ --extra-vars=@extra_vars.yaml \
+ --extra-vars="$(TCG_STORAGE_TEST_ARGS)" \
+ --extra-vars="test_type=baseline"
+
+tcg-storage-results:
+ @echo "TCG Storage Test Results:"
+ @echo "========================="
+ @if [ -d "$(TCG_STORAGE_RESULTS_DIR)" ]; then \
+ for file in $(TCG_STORAGE_RESULTS_DIR)/*.txt; do \
+ if [ -f "$$file" ]; then \
+ echo ""; \
+ echo "=== $$(basename $$file) ==="; \
+ head -20 "$$file"; \
+ fi \
+ done \
+ else \
+ echo "No results found. Run 'make tcg-storage' first."; \
+ fi
+
+tcg-storage-results-full:
+ @echo "Full TCG Storage Test Results:"
+ @echo "=============================="
+ @if [ -d "$(TCG_STORAGE_RESULTS_DIR)" ]; then \
+ for file in $(TCG_STORAGE_RESULTS_DIR)/*.txt; do \
+ if [ -f "$$file" ]; then \
+ echo ""; \
+ echo "=== $$(basename $$file) ==="; \
+ cat "$$file"; \
+ echo ""; \
+ fi \
+ done \
+ else \
+ echo "No results found. Run 'make tcg-storage' first."; \
+ fi
+
+tcg-storage-dev: tcg-storage
+ @echo "TCG storage development tests completed"
+
+tcg-storage-clean:
+ @echo "Cleaning TCG storage test results..."
+ @rm -rf $(TCG_STORAGE_RESULTS_DIR)
+ @echo "TCG storage test results cleaned"
+
+tcg-storage-tools-info:
+ @echo "Checking TCG storage tools..."
+ $(Q)ansible-playbook $(ANSIBLE_VERBOSE) \
+ -f 30 -i hosts playbooks/tcg-storage.yml \
+ --tags tools_info \
+ --extra-vars=@extra_vars.yaml
+
+tcg-storage-device-info:
+ @echo "Getting TCG device information..."
+ $(Q)ansible-playbook $(ANSIBLE_VERBOSE) \
+ -f 30 -i hosts playbooks/tcg-storage.yml \
+ --tags device_info \
+ --extra-vars=@extra_vars.yaml \
+ --extra-vars="$(TCG_STORAGE_TEST_ARGS)"
+
+tcg-storage-take-ownership:
+ @echo "Testing TCG device ownership..."
+ $(Q)ansible-playbook $(ANSIBLE_VERBOSE) \
+ -f 30 -i hosts playbooks/tcg-storage.yml \
+ --tags take_ownership \
+ --extra-vars=@extra_vars.yaml \
+ --extra-vars="$(TCG_STORAGE_TEST_ARGS) test_take_ownership=true"
+
+tcg-storage-locking-ranges:
+ @echo "Testing TCG locking ranges..."
+ $(Q)ansible-playbook $(ANSIBLE_VERBOSE) \
+ -f 30 -i hosts playbooks/tcg-storage.yml \
+ --tags locking_ranges \
+ --extra-vars=@extra_vars.yaml \
+ --extra-vars="$(TCG_STORAGE_TEST_ARGS) test_locking_ranges=true"
+
+tcg-storage-revert:
+ @echo "Testing TCG device revert..."
+ $(Q)ansible-playbook $(ANSIBLE_VERBOSE) \
+ -f 30 -i hosts playbooks/tcg-storage.yml \
+ --tags revert \
+ --extra-vars=@extra_vars.yaml \
+ --extra-vars="$(TCG_STORAGE_TEST_ARGS) test_revert=true"
+
+ifeq (y,$(CONFIG_KERNEL_CI))
+tcg-storage-kernel-ci-loop:
+ $(Q)$(TCG_STORAGE_KERNEL_CI_LOOP) $(TCG_STORAGE_ARGS)
+
+tcg-storage-kernel-ci-loop-kotd:
+ $(Q)$(TCG_STORAGE_KERNEL_CI_LOOP_KOTD) $(TCG_STORAGE_ARGS)
+endif # CONFIG_KERNEL_CI
+
+PHONY += tcg-storage-help tcg-storage-menuconfig tcg-storage-configure
+PHONY += tcg-storage tcg-storage-baseline tcg-storage-dev
+PHONY += tcg-storage-results tcg-storage-results-full tcg-storage-clean
+PHONY += tcg-storage-build-tools
+PHONY += tcg-storage-tools-info tcg-storage-device-info
+PHONY += tcg-storage-take-ownership tcg-storage-locking-ranges tcg-storage-revert
+
+ifeq (y,$(CONFIG_KERNEL_CI))
+PHONY += tcg-storage-kernel-ci-loop tcg-storage-kernel-ci-loop-kotd
+endif
+
+HELP_TARGETS += tcg-storage-help
\ No newline at end of file
diff --git a/workflows/tcg-storage/README.md b/workflows/tcg-storage/README.md
new file mode 100644
index 00000000..2cf37a2a
--- /dev/null
+++ b/workflows/tcg-storage/README.md
@@ -0,0 +1,222 @@
+# TCG Storage Testing Workflow
+
+This workflow provides automated testing for TCG (Trusted Computing Group) Storage
+and OPAL (Open Protocol for Authentication and Locking) functionality on
+self-encrypting drives using the [go-tcg-storage](https://github.com/open-source-firmware/go-tcg-storage) test suite.
+
+## Overview
+
+The TCG Storage workflow allows you to:
+- Test TCG/OPAL functionality on NVMe, SATA, and SAS drives
+- Run unit tests for the go-tcg-storage library
+- Perform integration tests on actual hardware
+- Test drive ownership, locking ranges, and device revert operations
+- Support A/B testing between baseline and development kernels
+
+## Quick Start
+
+### Using defconfig (Virtual Environment)
+
+The easiest way to get started is using the provided defconfig:
+
+```bash
+make defconfig-tcg-storage
+make
+make bringup
+make tcg-storage
+```
+
+### Using Declared Hosts (Bare Metal/Existing Systems)
+
+For testing on real hardware with TCG/Opal support:
+
+```bash
+# Specify your host and NVMe device
+make defconfig-tcg-storage-declared-hosts DECLARE_HOSTS=myserver TCG_DEVICE=/dev/nvme0n1
+make
+make tcg-storage
+```
+
+This skips the bringup phase and runs directly on the specified host.
+
+### Manual Configuration
+
+```bash
+make menuconfig
+# Navigate to: Workflows -> Dedicated workflow -> tcg-storage
+# Configure TCG storage options as needed
+make
+make bringup
+make tcg-storage
+```
+
+## Configuration Options
+
+### Test Device Configuration
+
+- **Device Path**: Configure the test device (default: `/dev/nvme0n1`)
+- **Device Type**: Specify device type: `nvme`, `sata`, or `sas`
+- **Password**: Set the password for TCG operations
+
+### Test Types
+
+- **Unit Tests**: Run go-tcg-storage library unit tests
+- **Integration Tests**: Run tests on actual TCG/OPAL hardware
+- **Take Ownership**: Test taking ownership of TCG device
+- **Locking Ranges**: Test locking range operations
+- **Device Revert**: Test reverting device to factory defaults
+
+### Local Development
+
+For local development of go-tcg-storage:
+
+1. Enable `TCG_STORAGE_USE_LOCAL` in menuconfig
+2. Set `TCG_STORAGE_LOCAL_PATH` to your local go-tcg-storage directory
+3. The workflow will use your local code instead of cloning from GitHub
+
+## Available Make Targets
+
+```bash
+make tcg-storage # Run TCG storage tests
+make tcg-storage-baseline # Establish baseline
+make tcg-storage-dev # Run on development kernel
+make tcg-storage-results # View test results
+make tcg-storage-results-full # View detailed results
+make tcg-storage-clean # Clean test results
+make tcg-storage-tools-info # Show TCG tools information
+make tcg-storage-device-info # Show TCG device information
+make tcg-storage-take-ownership # Test device ownership
+make tcg-storage-locking-ranges # Test locking ranges
+make tcg-storage-revert # Test device revert
+```
+
+## Tools Installed
+
+The workflow installs the following tools from go-tcg-storage:
+
+- **sedlockctl**: Manage SED/TCG drives
+- **tcgsdiag**: Diagnostic tool for TCG drives
+- **tcgdiskstat**: Display TCG drive statistics (like blkid for TCG)
+- **gosedctl**: Alternative SED control tool
+
+## Test Results
+
+Test results are stored in `workflows/tcg-storage/results/` including:
+- Unit test results
+- Integration test results
+- Device information
+- Test summaries
+
+## A/B Testing
+
+To enable A/B testing between baseline and development kernels:
+
+1. Enable `TCG_STORAGE_BASELINE_AND_DEV` in menuconfig
+2. Configure different kernel versions for baseline and dev
+3. Run tests: `make tcg-storage`
+4. Compare results between baseline and dev nodes
+
+## Declared Hosts Support
+
+The TCG storage workflow fully supports declared hosts for testing on bare metal
+or pre-existing infrastructure:
+
+### Benefits of Declared Hosts
+- Test on real TCG/Opal hardware
+- No virtualization overhead
+- Full integration test support
+- Direct hardware access
+
+### Example Usage
+
+```bash
+# Single host with specific NVMe device
+make defconfig-tcg-storage-declared-hosts DECLARE_HOSTS=server1 TCG_DEVICE=/dev/nvme1n1
+make
+make tcg-storage
+
+# Multiple hosts (comma-separated)
+make defconfig-tcg-storage-declared-hosts DECLARE_HOSTS=server1,server2 TCG_DEVICE=/dev/nvme0n1
+make
+make tcg-storage
+```
+
+### Prerequisites for Declared Hosts
+1. SSH access to the target hosts
+2. Hosts listed in your SSH config or /etc/hosts
+3. Root/sudo access on target hosts
+4. NVMe device with TCG/Opal support
+5. Go and build tools will be installed automatically
+
+## Supported Hardware
+
+The go-tcg-storage library has been tested with drives from:
+- Samsung (PM961, PM981, 970 EVO Plus, 980 Pro, etc.)
+- Intel (P4510, P4610)
+- Seagate (Momentus, Exos)
+- Corsair (Force MP510)
+- SK hynix (PC611)
+- Toshiba (MG08SCP16TE)
+- Sabrent (Rocket 4.0)
+
+See the full list in the [go-tcg-storage README](https://github.com/open-source-firmware/go-tcg-storage#tested-drives).
+
+## Virtual Environment Limitations
+
+**IMPORTANT**: Testing TCG/Opal in QEMU/KVM virtual environments has significant limitations:
+
+1. **QEMU NVMe Controller**: The standard QEMU NVMe controller does NOT emulate TCG/Opal features.
+ Most TCG commands will fail or return "not supported" errors.
+
+2. **Unit Tests Only**: In virtual environments, only the go-tcg-storage unit tests will work.
+ Integration tests that require actual TCG/Opal hardware will fail.
+
+3. **Hardware Testing**: For full TCG/Opal testing, you need:
+ - Physical hardware with TCG/Opal support
+ - PCIe passthrough of NVMe devices to VMs
+ - Or bare metal testing
+
+To enable PCIe passthrough for real hardware testing in VMs, see the kdevops
+PCIe passthrough documentation.
+
+## Safety Warning
+
+**WARNING**: TCG/OPAL operations can modify drive security settings. Only use
+dedicated test devices. Operations like device revert will erase all TCG
+configuration on the device.
+
+## Troubleshooting
+
+### Device Not Found
+
+If your test device is not found:
+1. Verify the device path in menuconfig
+2. Check device permissions
+3. Ensure the device supports TCG/OPAL
+
+### Go Build Failures
+
+If Go build fails:
+1. Check Go version (requires 1.21+)
+2. Enable `TCG_STORAGE_INSTALL_DEPS` to install Go
+3. Check network connectivity for downloading dependencies
+
+### TCG Operations Fail
+
+If TCG operations fail:
+1. Verify device supports TCG/OPAL: `make tcg-storage-device-info`
+2. Check if device is already owned (may need revert)
+3. Ensure correct password is configured
+
+## Contributing
+
+To contribute to this workflow:
+1. Test changes with both unit and integration tests
+2. Update documentation for new features
+3. Follow kdevops coding standards
+4. Submit patches to the kdevops mailing list
+
+## License
+
+This workflow is part of kdevops and licensed under copyleft-next-0.3.1.
+The go-tcg-storage tools are licensed under BSD 3-Clause.
\ No newline at end of file
diff --git a/workflows/tcg-storage/results/device_report_debian13-tcg-storage.txt b/workflows/tcg-storage/results/device_report_debian13-tcg-storage.txt
new file mode 100644
index 00000000..036e5ca1
--- /dev/null
+++ b/workflows/tcg-storage/results/device_report_debian13-tcg-storage.txt
@@ -0,0 +1,9 @@
+Device: /dev/nvme0n1
+Date: 2025-09-12T02:12:14Z
+Host: debian13-tcg-storage
+
+TCG/OPAL Information:
+
+
+Disk Statistics:
+DEVICE MODEL SERIAL FIRMWARE PROTOCOL SSC STATE
\ No newline at end of file
diff --git a/workflows/tcg-storage/scripts/check_tcg_device.sh b/workflows/tcg-storage/scripts/check_tcg_device.sh
new file mode 100755
index 00000000..ebc2c94c
--- /dev/null
+++ b/workflows/tcg-storage/scripts/check_tcg_device.sh
@@ -0,0 +1,44 @@
+#!/bin/bash
+# SPDX-License-Identifier: copyleft-next-0.3.1
+# Check if a device supports TCG/OPAL
+
+# Usage: check_tcg_device.sh <device>
+# Example: check_tcg_device.sh /dev/nvme0n1
+
+set -e
+
+DEVICE="${1:-/dev/nvme0n1}"
+
+if [ ! -e "$DEVICE" ]; then
+ echo "Error: Device $DEVICE does not exist"
+ exit 1
+fi
+
+echo "Checking TCG/OPAL support for $DEVICE..."
+
+# Check if sedutil-cli is available (alternative tool)
+if command -v sedutil-cli &> /dev/null; then
+ echo "Using sedutil-cli to check device..."
+ sedutil-cli --scan | grep -q "$DEVICE" && echo "Device supports TCG/OPAL" || echo "Device does not support TCG/OPAL"
+fi
+
+# Check if device is NVMe and has security features
+if [[ "$DEVICE" == /dev/nvme* ]]; then
+ echo "NVMe device detected, checking security capabilities..."
+ nvme id-ctrl "$DEVICE" 2>/dev/null | grep -i "opal\|tcg" || echo "No TCG/OPAL info in NVMe identify"
+fi
+
+# Check kernel TCG OPAL support
+if [ -d /sys/kernel/security/tpm0 ]; then
+ echo "TPM support detected in kernel"
+fi
+
+# Check for OPAL sysfs entries
+DEVICE_NAME=$(basename "$DEVICE")
+if [ -d "/sys/block/$DEVICE_NAME" ]; then
+ if [ -f "/sys/block/$DEVICE_NAME/device/sed_opal_key" ]; then
+ echo "Kernel OPAL support detected for device"
+ fi
+fi
+
+echo "TCG device check complete"
\ No newline at end of file
diff --git a/workflows/tcg-storage/scripts/run_kernel_ci.sh b/workflows/tcg-storage/scripts/run_kernel_ci.sh
new file mode 100755
index 00000000..69a188dc
--- /dev/null
+++ b/workflows/tcg-storage/scripts/run_kernel_ci.sh
@@ -0,0 +1,40 @@
+#!/bin/bash
+# SPDX-License-Identifier: copyleft-next-0.3.1
+# TCG Storage kernel CI test runner
+
+# This script runs TCG storage tests in a kernel CI loop
+
+set -e
+
+TOPDIR="${TOPDIR:-$(git rev-parse --show-toplevel)}"
+RESULTS_DIR="${TOPDIR}/workflows/tcg-storage/results"
+
+# Source common CI functions if available
+if [ -f "${TOPDIR}/scripts/workflows/common/kernel_ci.sh" ]; then
+ source "${TOPDIR}/scripts/workflows/common/kernel_ci.sh"
+fi
+
+echo "Starting TCG Storage Kernel CI testing..."
+echo "Results will be stored in: ${RESULTS_DIR}"
+
+# Create results directory if it doesn't exist
+mkdir -p "${RESULTS_DIR}"
+
+# Run the TCG storage tests
+echo "Running TCG storage tests..."
+make tcg-storage
+
+# Check test results
+if [ -f "${RESULTS_DIR}/summary.txt" ]; then
+ echo "Test summary:"
+ cat "${RESULTS_DIR}/summary.txt"
+fi
+
+# Exit with proper status
+if grep -q "FAILED" "${RESULTS_DIR}/summary.txt" 2>/dev/null; then
+ echo "TCG Storage tests FAILED"
+ exit 1
+else
+ echo "TCG Storage tests PASSED"
+ exit 0
+fi
\ No newline at end of file
diff --git a/workflows/tcg-storage/scripts/run_kernel_ci_kotd.sh b/workflows/tcg-storage/scripts/run_kernel_ci_kotd.sh
new file mode 100755
index 00000000..fd2d285c
--- /dev/null
+++ b/workflows/tcg-storage/scripts/run_kernel_ci_kotd.sh
@@ -0,0 +1,44 @@
+#!/bin/bash
+# SPDX-License-Identifier: copyleft-next-0.3.1
+# TCG Storage kernel CI test runner for Kernel of the Day (KOTD)
+
+# This script runs TCG storage tests against the latest kernel
+
+set -e
+
+TOPDIR="${TOPDIR:-$(git rev-parse --show-toplevel)}"
+RESULTS_DIR="${TOPDIR}/workflows/tcg-storage/results"
+
+# Source common CI functions if available
+if [ -f "${TOPDIR}/scripts/workflows/common/kernel_ci.sh" ]; then
+ source "${TOPDIR}/scripts/workflows/common/kernel_ci.sh"
+fi
+
+echo "Starting TCG Storage Kernel CI testing with KOTD..."
+echo "Results will be stored in: ${RESULTS_DIR}"
+
+# Create results directory if it doesn't exist
+mkdir -p "${RESULTS_DIR}"
+
+# Update to latest kernel
+echo "Updating to kernel of the day..."
+make linux
+
+# Run the TCG storage tests
+echo "Running TCG storage tests on KOTD..."
+make tcg-storage
+
+# Check test results
+if [ -f "${RESULTS_DIR}/summary.txt" ]; then
+ echo "Test summary:"
+ cat "${RESULTS_DIR}/summary.txt"
+fi
+
+# Exit with proper status
+if grep -q "FAILED" "${RESULTS_DIR}/summary.txt" 2>/dev/null; then
+ echo "TCG Storage tests on KOTD FAILED"
+ exit 1
+else
+ echo "TCG Storage tests on KOTD PASSED"
+ exit 0
+fi
\ No newline at end of file
--
2.51.0
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2025-09-19 23:13 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-09-19 23:13 [PATCH] tcg-storage: add TCG Opal storage security testing workflow Luis Chamberlain
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox