On Thu, 24 Oct 2024 at 07:39, Cédric Le Goater <c...@redhat.com> wrote:
>
> This is a simple conversion of the tests with some cleanups and
> adjustments to match the new test framework. Replace the zephyr image
> MD5 hashes with SHA256 hashes while at it.
(ccing Stefan Berger for possible insight into swtpm)
Hi; I find that this swtpm-using test fails for me on my
local system due to an apparmor/swtpm problem...
> + @skipUnless(*has_cmd('swtpm'))
> + def test_arm_ast2600_evb_buildroot_tpm(self):
> + self.set_machine('ast2600-evb')
> +
> + image_path = self.ASSET_BR2_202302_AST2600_TPM_FLASH.fetch()
> +
> + socket_dir = tempfile.TemporaryDirectory(prefix="qemu_")
> + socket = os.path.join(socket_dir.name, 'swtpm-socket')
> +
> + subprocess.run(['swtpm', 'socket', '-d', '--tpm2',
> + '--tpmstate', f'dir={self.vm.temp_dir}',
> + '--ctrl', f'type=unixio,path={socket}'])
> +
> + self.vm.add_args('-chardev', f'socket,id=chrtpm,path={socket}')
> + self.vm.add_args('-tpmdev', 'emulator,id=tpm0,chardev=chrtpm')
> + self.vm.add_args('-device',
> +
> 'tpm-tis-i2c,tpmdev=tpm0,bus=aspeed.i2c.bus.12,address=0x2e')
> + self.do_test_arm_aspeed_buildroot_start(image_path, '0xf00', 'Aspeed
> AST2600 EVB')
> +
> + exec_command_and_wait_for_pattern(self,
> + 'echo tpm_tis_i2c 0x2e > /sys/bus/i2c/devices/i2c-12/new_device',
> + 'tpm_tis_i2c 12-002e: 2.0 TPM (device-id 0x1, rev-id 1)');
> + exec_command_and_wait_for_pattern(self,
> + 'cat /sys/class/tpm/tpm0/pcr-sha256/0',
> +
> 'B804724EA13F52A9072BA87FE8FDCC497DFC9DF9AA15B9088694639C431688E0');
> +
> + self.do_test_arm_aspeed_buildroot_poweroff()
The test fails like this:
qemu-system-arm: tpm-emulator: TPM result for CMD_INIT: 0x9 operation failed
Adding extra logging to swtpm (--log file=/tmp/swtpm.log,level=20)
reveals:
SWTPM_NVRAM_Lock_Lockfile: Could not open lockfile: Permission denied
Error: Could not initialize libtpms.
Error: Could not initialize the TPM
Checking the system logs, this is because apparmor has denied it:
Nov 5 16:01:14 e104462 kernel: [946406.489088] audit: type=1400
audit(1730822474.384:446): apparmor="DENIED" operation="mknod"
profile="swtpm"
name="/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/tests/functional/arm/test_arm_aspeed.AST2x00Machine.test_arm_ast2600_evb_buildroot_tpm/qemu-machine-hhuvwytc/.lock"
pid=2820156 comm="swtpm" requested_mask="c" denied_mask="c" fsuid=1000
ouid=1000
Q1: why is apparmor forbidding swtpm from doing something that
it needs to do to work?
Q2: is there a way to run swtpm such that it is not
confined by apparmor, for purposes of running it in a test case?
Q3: if not, is there a way to at least detect that swtpm is
broken on this system so we can skip the test case?
(I note that there is a thing in the apparmor config
"owner @{HOME}/** rwk" which I think means you only run into
this if you happen to be building/testing QEMU somewhere other
than your own home directory -- but that's hardly an
unreasonable configuration...)
thanks
-- PMM
