[kirkstone][meta-tpm][PATCH 1/3] oeqa/swtpm: add swtpm runtime

[kirkstone][meta-tpm][PATCH 1/3] oeqa/swtpm: add swtpm runtime

[Armin Kuster]

Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 50eff83d428598630d5277904eeeb4b668c31c22)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta-tpm/lib/oeqa/runtime/cases/swtpm.py | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 meta-tpm/lib/oeqa/runtime/cases/swtpm.py

diff --git a/meta-tpm/lib/oeqa/runtime/cases/swtpm.py b/meta-tpm/lib/oeqa/runtime/cases/swtpm.py
new file mode 100644
index 0000000..df47b35
--- /dev/null
+++ b/meta-tpm/lib/oeqa/runtime/cases/swtpm.py
@@ -0,0 +1,24 @@
+# Copyright (C) 2022 Armin Kuster <akuster808@gmail.com>
+#
+from oeqa.runtime.case import OERuntimeTestCase
+from oeqa.core.decorator.depends import OETestDepends
+from oeqa.runtime.decorator.package import OEHasPackage
+from oeqa.core.decorator.data import skipIfNotFeature
+
+class SwTpmTest(OERuntimeTestCase):
+    @classmethod
+    def setUpClass(cls):
+        cls.tc.target.run('mkdir /tmp/myvtpm2')
+        cls.tc.target.run('chown tss:root /tmp/myvtpm2')
+
+    @classmethod
+    def tearDownClass(cls):
+        cls.tc.target.run('rm -fr /tmp/myvtpm2')
+
+    @skipIfNotFeature('tpm2','Test tpm2_swtpm_socket requires tpm2 to be in DISTRO_FEATURES')
+    @OETestDepends(['ssh.SSHTest.test_ssh'])
+    @OEHasPackage(['swtpm'])
+    def test_swtpm2_ek_cert(self):
+            cmd = 'swtpm_setup --tpmstate /tmp/myvtpm2 --create-ek-cert --create-platform-cert --tpm2',
+            status, output = self.target.run(cmd)
+            self.assertEqual(status, 0, msg="swtpm create-ek-cert failed: %s" % output)
-- 
2.37.3

[kirkstone][meta-tpm][PATCH 2/3] oeqa/tpm2: fix and cleanup tests

[Armin Kuster]

Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 3db9e08300c3d5e3f7b6e4e6cb743a914ed3f00b)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta-tpm/lib/oeqa/runtime/cases/tpm2.py | 25 ++++++++++++++++---------
 1 file changed, 16 insertions(+), 9 deletions(-)

diff --git a/meta-tpm/lib/oeqa/runtime/cases/tpm2.py b/meta-tpm/lib/oeqa/runtime/cases/tpm2.py
index c2c95e7..e64d19d 100644
--- a/meta-tpm/lib/oeqa/runtime/cases/tpm2.py
+++ b/meta-tpm/lib/oeqa/runtime/cases/tpm2.py
@@ -1,11 +1,19 @@
-# Copyright (C) 2019 Armin Kuster <akuster808@gmail.com>
+# Copyright (C) 2019 - 2022 Armin Kuster <akuster808@gmail.com>
 #
 from oeqa.runtime.case import OERuntimeTestCase
 from oeqa.core.decorator.depends import OETestDepends
 from oeqa.runtime.decorator.package import OEHasPackage
-
+from oeqa.core.decorator.data import skipIfNotFeature
 
 class Tpm2Test(OERuntimeTestCase):
+    @classmethod
+    def setUpClass(cls):
+        cls.tc.target.run('mkdir /tmp/myvtpm2')
+
+    @classmethod
+    def tearDownClass(cls):
+        cls.tc.target.run('rm -fr /tmp/myvtpm2')
+
     def check_endlines(self, results,  expected_endlines): 
         for line in results.splitlines():
             for el in expected_endlines:
@@ -19,20 +27,19 @@ class Tpm2Test(OERuntimeTestCase):
     @OEHasPackage(['tpm2-tools'])
     @OEHasPackage(['tpm2-abrmd'])
     @OEHasPackage(['swtpm'])
+    @skipIfNotFeature('tpm2','Test tpm2_startup requires tpm2 to be in DISTRO_FEATURES')
     @OETestDepends(['ssh.SSHTest.test_ssh'])
-    def test_tpm2_swtpm_socket(self):
+    def test_tpm2_startup(self):
         cmds = [
-                'mkdir /tmp/myvtpm',
-                'swtpm socket --tpmstate dir=/tmp/myvtpm --tpm2 --ctrl type=tcp,port=2322 --server type=tcp,port=2321 --flags not-need-init &',
-                'export TPM2TOOLS_TCTI="swtpm:port=2321"',
-                'tpm2_startup -c'
+                'swtpm socket -d --tpmstate dir=/tmp/myvtpm2 --tpm2 --ctrl type=tcp,port=2322 --server type=tcp,port=2321 --flags not-need-init',
+                'tpm2_startup -c -T "swtpm:port=2321"',
                ]
 
         for cmd in cmds:
             status, output = self.target.run(cmd)
             self.assertEqual(status, 0, msg='\n'.join([cmd, output]))
 
-    @OETestDepends(['tpm2.Tpm2Test.test_tpm2_swtpm_socket'])
+    @OETestDepends(['tpm2.Tpm2Test.test_tpm2_startup'])
     def test_tpm2_pcrread(self):
          (status, output) = self.target.run('tpm2_pcrread')
          expected_endlines = []
@@ -49,7 +56,7 @@ class Tpm2Test(OERuntimeTestCase):
 
     @OEHasPackage(['p11-kit'])
     @OEHasPackage(['tpm2-pkcs11'])
-    @OETestDepends(['tpm2.Tpm2Test.test_tpm2_swtpm_socket'])
+    @OETestDepends(['tpm2.Tpm2Test.test_tpm2_pcrread'])
     def test_tpm2_pkcs11(self):
          (status, output) = self.target.run('p11-kit list-modules -v')
          self.assertEqual(status, 0, msg="Modules missing: %s" % output)
-- 
2.37.3

[kirkstone][meta-tpm][PATCH 3/3] oeqa: meta-tpm shut swtpm down before and after testing

[Armin Kuster]

fixes:
swtpm: Could not open TCP socket: Address already in use

Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit b5642c519b90f83ab6ec1507db9b3b36db43c548)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta-tpm/lib/oeqa/runtime/cases/swtpm.py | 2 ++
 meta-tpm/lib/oeqa/runtime/cases/tpm2.py  | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/meta-tpm/lib/oeqa/runtime/cases/swtpm.py b/meta-tpm/lib/oeqa/runtime/cases/swtpm.py
index df47b35..0be5c59 100644
--- a/meta-tpm/lib/oeqa/runtime/cases/swtpm.py
+++ b/meta-tpm/lib/oeqa/runtime/cases/swtpm.py
@@ -8,11 +8,13 @@ from oeqa.core.decorator.data import skipIfNotFeature
 class SwTpmTest(OERuntimeTestCase):
     @classmethod
     def setUpClass(cls):
+        cls.tc.target.run('swtpm_ioctl -s --tcp :2322')
         cls.tc.target.run('mkdir /tmp/myvtpm2')
         cls.tc.target.run('chown tss:root /tmp/myvtpm2')
 
     @classmethod
     def tearDownClass(cls):
+        cls.tc.target.run('swtpm_ioctl -s --tcp :2322')
         cls.tc.target.run('rm -fr /tmp/myvtpm2')
 
     @skipIfNotFeature('tpm2','Test tpm2_swtpm_socket requires tpm2 to be in DISTRO_FEATURES')
diff --git a/meta-tpm/lib/oeqa/runtime/cases/tpm2.py b/meta-tpm/lib/oeqa/runtime/cases/tpm2.py
index e64d19d..8e90dc9 100644
--- a/meta-tpm/lib/oeqa/runtime/cases/tpm2.py
+++ b/meta-tpm/lib/oeqa/runtime/cases/tpm2.py
@@ -8,10 +8,12 @@ from oeqa.core.decorator.data import skipIfNotFeature
 class Tpm2Test(OERuntimeTestCase):
     @classmethod
     def setUpClass(cls):
+        cls.tc.target.run('swtpm_ioctl -s --tcp :2322')
         cls.tc.target.run('mkdir /tmp/myvtpm2')
 
     @classmethod
     def tearDownClass(cls):
+        cls.tc.target.run('swtpm_ioctl -s --tcp :2322')
         cls.tc.target.run('rm -fr /tmp/myvtpm2')
 
     def check_endlines(self, results,  expected_endlines): 
-- 
2.37.3

Re: [yocto] [kirkstone][meta-tpm][PATCH 1/3] oeqa/swtpm: add swtpm runtime

[Mikko Rapeli]

Hi,

I don't mind but is the meta-security policy to accept new features in
stable branches?

FWIW, meta-security meta-tpm master branch does work on kirkstone too.

On Wed, Feb 01, 2023 at 08:26:12AM -0500, Armin Kuster wrote:
> Signed-off-by: Armin Kuster <akuster808@gmail.com>
> (cherry picked from commit 50eff83d428598630d5277904eeeb4b668c31c22)
> Signed-off-by: Armin Kuster <akuster808@gmail.com>
> ---
>  meta-tpm/lib/oeqa/runtime/cases/swtpm.py | 24 ++++++++++++++++++++++++
>  1 file changed, 24 insertions(+)
>  create mode 100644 meta-tpm/lib/oeqa/runtime/cases/swtpm.py
> 
> diff --git a/meta-tpm/lib/oeqa/runtime/cases/swtpm.py b/meta-tpm/lib/oeqa/runtime/cases/swtpm.py
> new file mode 100644
> index 0000000..df47b35
> --- /dev/null
> +++ b/meta-tpm/lib/oeqa/runtime/cases/swtpm.py
> @@ -0,0 +1,24 @@
> +# Copyright (C) 2022 Armin Kuster <akuster808@gmail.com>
> +#
> +from oeqa.runtime.case import OERuntimeTestCase
> +from oeqa.core.decorator.depends import OETestDepends
> +from oeqa.runtime.decorator.package import OEHasPackage
> +from oeqa.core.decorator.data import skipIfNotFeature

While this test is great to see, it only tests the case where TPM device
is only visible for the userspace of the Linux system. Exposing the TPM
device to bootloader etc requires starting it outside of qemu and
configuring qemu to expose the char device.

With poky master branch with QB_SETUP_CMD support, this can be done
in machine config with:

# setup SW based TPM for testing, note socket file path has 107 character
# length limitations from sockaddr_un
QB_SETUP_CMD = " \
   set -ex; pwd; which swtpm; swtpm --version; which swtpm_setup; \
   test -d '${IMAGE_BASENAME}_swtpm' || ( mkdir -p '${IMAGE_BASENAME}_swtpm' && \
       swtpm_setup --reconfigure --tpmstate '${IMAGE_BASENAME}_swtpm' --tpm2 --pcr-banks sha256 --config $(dirname $( which swtpm ) )/../../etc/swtpm_setup.conf ) && \
   test -f '${IMAGE_BASENAME}_swtpm/tpm2-00.permall' && \
   swtpm socket --tpmstate dir='${IMAGE_BASENAME}_swtpm' \
         --ctrl type=unixio,path='${IMAGE_BASENAME}_swtpm/swtpm-sock' \
         --flags startup-clear \
         --log level=30 --tpm2 -t -d \
"
QB_OPT_APPEND += "-chardev socket,id=chrtpm,path='${IMAGE_BASENAME}_swtpm/swtpm-sock' -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis-device,tpmdev=tpm0"

In normal cases swtpm exits when client qemu machine exits. If the qemu
machines exits before it connects to the swtpm device, the swtpm process
is leaked but I haven't fixed this yet.

Cheers,

-Mikko

> +class SwTpmTest(OERuntimeTestCase):
> +    @classmethod
> +    def setUpClass(cls):
> +        cls.tc.target.run('mkdir /tmp/myvtpm2')
> +        cls.tc.target.run('chown tss:root /tmp/myvtpm2')
> +
> +    @classmethod
> +    def tearDownClass(cls):
> +        cls.tc.target.run('rm -fr /tmp/myvtpm2')
> +
> +    @skipIfNotFeature('tpm2','Test tpm2_swtpm_socket requires tpm2 to be in DISTRO_FEATURES')
> +    @OETestDepends(['ssh.SSHTest.test_ssh'])
> +    @OEHasPackage(['swtpm'])
> +    def test_swtpm2_ek_cert(self):
> +            cmd = 'swtpm_setup --tpmstate /tmp/myvtpm2 --create-ek-cert --create-platform-cert --tpm2',
> +            status, output = self.target.run(cmd)
> +            self.assertEqual(status, 0, msg="swtpm create-ek-cert failed: %s" % output)
> -- 
> 2.37.3
> 

> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#59129): https://lists.yoctoproject.org/g/yocto/message/59129
> Mute This Topic: https://lists.yoctoproject.org/mt/96675158/7159507
> Group Owner: yocto+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [mikko.rapeli@linaro.org]
> -=-=-=-=-=-=-=-=-=-=-=-
> 

Re: [yocto] [kirkstone][meta-tpm][PATCH 1/3] oeqa/swtpm: add swtpm runtime

[akuster808]

On 2/1/23 10:19 AM, Mikko Rapeli wrote:
> Hi,
>
> I don't mind but is the meta-security policy to accept new features in
> stable branches?

You are correct. I forgot about this one.

Nice catch.

thanks,
Armin
>
> FWIW, meta-security meta-tpm master branch does work on kirkstone too.
>
> On Wed, Feb 01, 2023 at 08:26:12AM -0500, Armin Kuster wrote:
>> Signed-off-by: Armin Kuster <akuster808@gmail.com>
>> (cherry picked from commit 50eff83d428598630d5277904eeeb4b668c31c22)
>> Signed-off-by: Armin Kuster <akuster808@gmail.com>
>> ---
>>   meta-tpm/lib/oeqa/runtime/cases/swtpm.py | 24 ++++++++++++++++++++++++
>>   1 file changed, 24 insertions(+)
>>   create mode 100644 meta-tpm/lib/oeqa/runtime/cases/swtpm.py
>>
>> diff --git a/meta-tpm/lib/oeqa/runtime/cases/swtpm.py b/meta-tpm/lib/oeqa/runtime/cases/swtpm.py
>> new file mode 100644
>> index 0000000..df47b35
>> --- /dev/null
>> +++ b/meta-tpm/lib/oeqa/runtime/cases/swtpm.py
>> @@ -0,0 +1,24 @@
>> +# Copyright (C) 2022 Armin Kuster <akuster808@gmail.com>
>> +#
>> +from oeqa.runtime.case import OERuntimeTestCase
>> +from oeqa.core.decorator.depends import OETestDepends
>> +from oeqa.runtime.decorator.package import OEHasPackage
>> +from oeqa.core.decorator.data import skipIfNotFeature
> While this test is great to see, it only tests the case where TPM device
> is only visible for the userspace of the Linux system. Exposing the TPM
> device to bootloader etc requires starting it outside of qemu and
> configuring qemu to expose the char device.
>
> With poky master branch with QB_SETUP_CMD support, this can be done
> in machine config with:
>
> # setup SW based TPM for testing, note socket file path has 107 character
> # length limitations from sockaddr_un
> QB_SETUP_CMD = " \
>     set -ex; pwd; which swtpm; swtpm --version; which swtpm_setup; \
>     test -d '${IMAGE_BASENAME}_swtpm' || ( mkdir -p '${IMAGE_BASENAME}_swtpm' && \
>         swtpm_setup --reconfigure --tpmstate '${IMAGE_BASENAME}_swtpm' --tpm2 --pcr-banks sha256 --config $(dirname $( which swtpm ) )/../../etc/swtpm_setup.conf ) && \
>     test -f '${IMAGE_BASENAME}_swtpm/tpm2-00.permall' && \
>     swtpm socket --tpmstate dir='${IMAGE_BASENAME}_swtpm' \
>           --ctrl type=unixio,path='${IMAGE_BASENAME}_swtpm/swtpm-sock' \
>           --flags startup-clear \
>           --log level=30 --tpm2 -t -d \
> "
> QB_OPT_APPEND += "-chardev socket,id=chrtpm,path='${IMAGE_BASENAME}_swtpm/swtpm-sock' -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis-device,tpmdev=tpm0"
>
> In normal cases swtpm exits when client qemu machine exits. If the qemu
> machines exits before it connects to the swtpm device, the swtpm process
> is leaked but I haven't fixed this yet.
>
> Cheers,
>
> -Mikko
>
>> +class SwTpmTest(OERuntimeTestCase):
>> +    @classmethod
>> +    def setUpClass(cls):
>> +        cls.tc.target.run('mkdir /tmp/myvtpm2')
>> +        cls.tc.target.run('chown tss:root /tmp/myvtpm2')
>> +
>> +    @classmethod
>> +    def tearDownClass(cls):
>> +        cls.tc.target.run('rm -fr /tmp/myvtpm2')
>> +
>> +    @skipIfNotFeature('tpm2','Test tpm2_swtpm_socket requires tpm2 to be in DISTRO_FEATURES')
>> +    @OETestDepends(['ssh.SSHTest.test_ssh'])
>> +    @OEHasPackage(['swtpm'])
>> +    def test_swtpm2_ek_cert(self):
>> +            cmd = 'swtpm_setup --tpmstate /tmp/myvtpm2 --create-ek-cert --create-platform-cert --tpm2',
>> +            status, output = self.target.run(cmd)
>> +            self.assertEqual(status, 0, msg="swtpm create-ek-cert failed: %s" % output)
>> -- 
>> 2.37.3
>>
>> -=-=-=-=-=-=-=-=-=-=-=-
>> Links: You receive all messages sent to this group.
>> View/Reply Online (#59129): https://lists.yoctoproject.org/g/yocto/message/59129
>> Mute This Topic: https://lists.yoctoproject.org/mt/96675158/7159507
>> Group Owner: yocto+owner@lists.yoctoproject.org
>> Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [mikko.rapeli@linaro.org]
>> -=-=-=-=-=-=-=-=-=-=-=-
>>