On 11/5/24 11:14 AM, Peter Maydell wrote:
On Thu, 24 Oct 2024 at 07:39, Cédric Le Goater <c...@redhat.com> wrote:This is a simple conversion of the tests with some cleanups and adjustments to match the new test framework. Replace the zephyr image MD5 hashes with SHA256 hashes while at it.(ccing Stefan Berger for possible insight into swtpm) Hi; I find that this swtpm-using test fails for me on my local system due to an apparmor/swtpm problem...+ @skipUnless(*has_cmd('swtpm')) + def test_arm_ast2600_evb_buildroot_tpm(self): + self.set_machine('ast2600-evb') + + image_path = self.ASSET_BR2_202302_AST2600_TPM_FLASH.fetch() + + socket_dir = tempfile.TemporaryDirectory(prefix="qemu_") + socket = os.path.join(socket_dir.name, 'swtpm-socket') + + subprocess.run(['swtpm', 'socket', '-d', '--tpm2', + '--tpmstate', f'dir={self.vm.temp_dir}', + '--ctrl', f'type=unixio,path={socket}']) + + self.vm.add_args('-chardev', f'socket,id=chrtpm,path={socket}') + self.vm.add_args('-tpmdev', 'emulator,id=tpm0,chardev=chrtpm') + self.vm.add_args('-device', + 'tpm-tis-i2c,tpmdev=tpm0,bus=aspeed.i2c.bus.12,address=0x2e') + self.do_test_arm_aspeed_buildroot_start(image_path, '0xf00', 'Aspeed AST2600 EVB') + + exec_command_and_wait_for_pattern(self, + 'echo tpm_tis_i2c 0x2e > /sys/bus/i2c/devices/i2c-12/new_device', + 'tpm_tis_i2c 12-002e: 2.0 TPM (device-id 0x1, rev-id 1)'); + exec_command_and_wait_for_pattern(self, + 'cat /sys/class/tpm/tpm0/pcr-sha256/0', + 'B804724EA13F52A9072BA87FE8FDCC497DFC9DF9AA15B9088694639C431688E0'); + + self.do_test_arm_aspeed_buildroot_poweroff()The test fails like this: qemu-system-arm: tpm-emulator: TPM result for CMD_INIT: 0x9 operation failed Adding extra logging to swtpm (--log file=/tmp/swtpm.log,level=20) reveals: SWTPM_NVRAM_Lock_Lockfile: Could not open lockfile: Permission denied Error: Could not initialize libtpms. Error: Could not initialize the TPM Checking the system logs, this is because apparmor has denied it: Nov 5 16:01:14 e104462 kernel: [946406.489088] audit: type=1400 audit(1730822474.384:446): apparmor="DENIED" operation="mknod" profile="swtpm" name="/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/tests/functional/arm/test_arm_aspeed.AST2x00Machine.test_arm_ast2600_evb_buildroot_tpm/qemu-machine-hhuvwytc/.lock" pid=2820156 comm="swtpm" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 Q1: why is apparmor forbidding swtpm from doing something that it needs to do to work?
What distro and version is this?The profile may be too strict and not reflecting all the paths needed for running the test cases. Ubuntu for example would have to update their profile in such a case.
Q2: is there a way to run swtpm such that it is not confined by apparmor, for purposes of running it in a test case?
Try either one: - sudo aa-complain /usr/bin/swtpm - sudo aa-disable /usr/bin/swtpm
Q3: if not, is there a way to at least detect that swtpm is broken on this system so we can skip the test case?
It's not swtpm that is broken but the AppArmor profile is too strict. Above command lines should work.
(I note that there is a thing in the apparmor config
"owner @{HOME}/** rwk" which I think means you only run into
this if you happen to be building/testing QEMU somewhere other
than your own home directory -- but that's hardly an
unreasonable configuration...)
thanks
-- PMM
