diff mbox series

[isar-cip-core,RFC,v2,3/7] start-qemu: If swtpm is available create a tpm2 device

Message ID 20230217130540.509910-4-Quirin.Gylstorff@siemens.com (mailing list archive)
State Superseded
Headers show
Series Encrypt Partition in initramfs | expand

Commit Message

Quirin Gylstorff Feb. 17, 2023, 1:05 p.m. UTC 
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This allows testing the tpm2 encryption with qemu.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 start-qemu.sh | 23 ++++++++++++++++++-----
 1 file changed, 18 insertions(+), 5 deletions(-)

Comments

Jan Kiszka Feb. 17, 2023, 2:49 p.m. UTC | #1 
On 17.02.23 14:05, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> 
> This allows testing the tpm2 encryption with qemu.
> 
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
>  start-qemu.sh | 23 ++++++++++++++++++-----
>  1 file changed, 18 insertions(+), 5 deletions(-)
> 
> diff --git a/start-qemu.sh b/start-qemu.sh
> index dd16aed..3ef2acc 100755
> --- a/start-qemu.sh
> +++ b/start-qemu.sh
> @@ -139,11 +139,24 @@ QEMU_COMMON_OPTIONS=" \
>  	-m 1G \
>  	-serial mon:stdio \
>  	-netdev user,id=net,hostfwd=tcp:127.0.0.1:22222-:22 \
> -	${QEMU_EXTRA_ARGS}"
> +	"
>  
>  if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then
>  	case "${arch}" in
>  		x86|x86_64|amd64)
> +			if [ -x /usr/bin/swtpm ]; then
> +				swtpm_dir="/tmp/qemu-swtpm"
> +				mkdir -p ${swtpm_dir}
> +                rm ${swtpm_dir}/*
> +				if swtpm socket -d --tpmstate dir=${swtpm_dir} \
> +						 --ctrl type=unixio,path=${swtpm_dir}/sock \
> +						 --tpm2; then
> +					QEMU_EXTRA_ARGS="${QEMU_EXTRA_ARGS} \
> +                            -chardev socket,id=chrtpm,path=${swtpm_dir}/sock \
> +					 		-tpmdev emulator,id=tpm0,chardev=chrtpm \
> +					 		-device tpm-tis,tpmdev=tpm0"
> +				fi
> +			fi

There are some space-based indentions in this block, messing things up
visually.

Jan

>  			if [ -n "${SECURE_BOOT}" ]; then
>  				ovmf_code=${OVMF_CODE:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE_4M.secboot.fd}
>  				ovmf_vars=${OVMF_VARS:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_VARS_4M.snakeoil.fd}
> @@ -154,14 +167,14 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then
>  					-drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \
>  					-drive if=pflash,format=raw,file=${ovmf_vars} \
>  					-drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \
> -					${QEMU_COMMON_OPTIONS} "$@"
> +					${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@"
>  			else
>  				ovmf_code=${OVMF_CODE:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE_4M.fd}
>  
>  				${QEMU_PATH}${QEMU} \
>  					-drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \
>  					-drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \
> -					${QEMU_COMMON_OPTIONS} "$@"
> +					${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@"
>  			fi
>  			;;
>  		arm64|aarch64|arm|armhf)
> @@ -170,7 +183,7 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then
>  			${QEMU_PATH}${QEMU} \
>  				-drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \
>  				-bios ${u_boot_bin} \
> -				${QEMU_COMMON_OPTIONS} "$@"
> +				${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@"
>  			;;
>  		*)
>  			echo "Unsupported architecture: ${arch}"
> @@ -187,5 +200,5 @@ else
>  			-drive file=${IMAGE_FILE},discard=unmap,if=none,id=disk,format=raw \
>  			-kernel ${KERNEL_FILE} -append "${KERNEL_CMDLINE}" \
>  			-initrd ${INITRD_FILE} \
> -			${QEMU_COMMON_OPTIONS} "$@"
> +			${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@"
>  fi
Quirin Gylstorff Feb. 17, 2023, 3:11 p.m. UTC | #2 
On 2/17/23 15:49, Jan Kiszka wrote:
> On 17.02.23 14:05, Quirin Gylstorff wrote:
>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>
>> This allows testing the tpm2 encryption with qemu.
>>
>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> ---
>>   start-qemu.sh | 23 ++++++++++++++++++-----
>>   1 file changed, 18 insertions(+), 5 deletions(-)
>>
>> diff --git a/start-qemu.sh b/start-qemu.sh
>> index dd16aed..3ef2acc 100755
>> --- a/start-qemu.sh
>> +++ b/start-qemu.sh
>> @@ -139,11 +139,24 @@ QEMU_COMMON_OPTIONS=" \
>>   	-m 1G \
>>   	-serial mon:stdio \
>>   	-netdev user,id=net,hostfwd=tcp:127.0.0.1:22222-:22 \
>> -	${QEMU_EXTRA_ARGS}"
>> +	"
>>   
>>   if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then
>>   	case "${arch}" in
>>   		x86|x86_64|amd64)
>> +			if [ -x /usr/bin/swtpm ]; then
>> +				swtpm_dir="/tmp/qemu-swtpm"
>> +				mkdir -p ${swtpm_dir}
>> +                rm ${swtpm_dir}/*
>> +				if swtpm socket -d --tpmstate dir=${swtpm_dir} \
>> +						 --ctrl type=unixio,path=${swtpm_dir}/sock \
>> +						 --tpm2; then
>> +					QEMU_EXTRA_ARGS="${QEMU_EXTRA_ARGS} \
>> +                            -chardev socket,id=chrtpm,path=${swtpm_dir}/sock \
>> +					 		-tpmdev emulator,id=tpm0,chardev=chrtpm \
>> +					 		-device tpm-tis,tpmdev=tpm0"
>> +				fi
>> +			fi
> 
> There are some space-based indentions in this block, messing things up
> visually.
> 
> Jan

I will fix that in v3 and add a check if if TPM2 is requested by KConfig.

Quirin
> 
>>   			if [ -n "${SECURE_BOOT}" ]; then
>>   				ovmf_code=${OVMF_CODE:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE_4M.secboot.fd}
>>   				ovmf_vars=${OVMF_VARS:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_VARS_4M.snakeoil.fd}
>> @@ -154,14 +167,14 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then
>>   					-drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \
>>   					-drive if=pflash,format=raw,file=${ovmf_vars} \
>>   					-drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \
>> -					${QEMU_COMMON_OPTIONS} "$@"
>> +					${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@"
>>   			else
>>   				ovmf_code=${OVMF_CODE:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE_4M.fd}
>>   
>>   				${QEMU_PATH}${QEMU} \
>>   					-drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \
>>   					-drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \
>> -					${QEMU_COMMON_OPTIONS} "$@"
>> +					${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@"
>>   			fi
>>   			;;
>>   		arm64|aarch64|arm|armhf)
>> @@ -170,7 +183,7 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then
>>   			${QEMU_PATH}${QEMU} \
>>   				-drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \
>>   				-bios ${u_boot_bin} \
>> -				${QEMU_COMMON_OPTIONS} "$@"
>> +				${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@"
>>   			;;
>>   		*)
>>   			echo "Unsupported architecture: ${arch}"
>> @@ -187,5 +200,5 @@ else
>>   			-drive file=${IMAGE_FILE},discard=unmap,if=none,id=disk,format=raw \
>>   			-kernel ${KERNEL_FILE} -append "${KERNEL_CMDLINE}" \
>>   			-initrd ${INITRD_FILE} \
>> -			${QEMU_COMMON_OPTIONS} "$@"
>> +			${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@"
>>   fi
>
diff mbox series

Patch

diff --git a/start-qemu.sh b/start-qemu.sh
index dd16aed..3ef2acc 100755
--- a/start-qemu.sh
+++ b/start-qemu.sh
@@ -139,11 +139,24 @@  QEMU_COMMON_OPTIONS=" \
 	-m 1G \
 	-serial mon:stdio \
 	-netdev user,id=net,hostfwd=tcp:127.0.0.1:22222-:22 \
-	${QEMU_EXTRA_ARGS}"
+	"
 
 if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then
 	case "${arch}" in
 		x86|x86_64|amd64)
+			if [ -x /usr/bin/swtpm ]; then
+				swtpm_dir="/tmp/qemu-swtpm"
+				mkdir -p ${swtpm_dir}
+                rm ${swtpm_dir}/*
+				if swtpm socket -d --tpmstate dir=${swtpm_dir} \
+						 --ctrl type=unixio,path=${swtpm_dir}/sock \
+						 --tpm2; then
+					QEMU_EXTRA_ARGS="${QEMU_EXTRA_ARGS} \
+                            -chardev socket,id=chrtpm,path=${swtpm_dir}/sock \
+					 		-tpmdev emulator,id=tpm0,chardev=chrtpm \
+					 		-device tpm-tis,tpmdev=tpm0"
+				fi
+			fi
 			if [ -n "${SECURE_BOOT}" ]; then
 				ovmf_code=${OVMF_CODE:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE_4M.secboot.fd}
 				ovmf_vars=${OVMF_VARS:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_VARS_4M.snakeoil.fd}
@@ -154,14 +167,14 @@  if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then
 					-drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \
 					-drive if=pflash,format=raw,file=${ovmf_vars} \
 					-drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \
-					${QEMU_COMMON_OPTIONS} "$@"
+					${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@"
 			else
 				ovmf_code=${OVMF_CODE:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE_4M.fd}
 
 				${QEMU_PATH}${QEMU} \
 					-drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \
 					-drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \
-					${QEMU_COMMON_OPTIONS} "$@"
+					${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@"
 			fi
 			;;
 		arm64|aarch64|arm|armhf)
@@ -170,7 +183,7 @@  if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then
 			${QEMU_PATH}${QEMU} \
 				-drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \
 				-bios ${u_boot_bin} \
-				${QEMU_COMMON_OPTIONS} "$@"
+				${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@"
 			;;
 		*)
 			echo "Unsupported architecture: ${arch}"
@@ -187,5 +200,5 @@  else
 			-drive file=${IMAGE_FILE},discard=unmap,if=none,id=disk,format=raw \
 			-kernel ${KERNEL_FILE} -append "${KERNEL_CMDLINE}" \
 			-initrd ${INITRD_FILE} \
-			${QEMU_COMMON_OPTIONS} "$@"
+			${QEMU_COMMON_OPTIONS} ${QEMU_EXTRA_ARGS} "$@"
 fi