Re: [kirkstone][meta-tpm][PATCH 1/3] oeqa/swtpm: add swtpm runtime

Armin Kuster

On 2/1/23 10:19 AM, Mikko Rapeli wrote:

I don't mind but is the meta-security policy to accept new features in
stable branches?
You are correct. I forgot about this one.

Nice catch.


FWIW, meta-security meta-tpm master branch does work on kirkstone too.

On Wed, Feb 01, 2023 at 08:26:12AM -0500, Armin Kuster wrote:
Signed-off-by: Armin Kuster <akuster808@...>
(cherry picked from commit 50eff83d428598630d5277904eeeb4b668c31c22)
Signed-off-by: Armin Kuster <akuster808@...>
meta-tpm/lib/oeqa/runtime/cases/ | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
create mode 100644 meta-tpm/lib/oeqa/runtime/cases/

diff --git a/meta-tpm/lib/oeqa/runtime/cases/ b/meta-tpm/lib/oeqa/runtime/cases/
new file mode 100644
index 0000000..df47b35
--- /dev/null
+++ b/meta-tpm/lib/oeqa/runtime/cases/
@@ -0,0 +1,24 @@
+# Copyright (C) 2022 Armin Kuster <akuster808@...>
+from import OERuntimeTestCase
+from oeqa.core.decorator.depends import OETestDepends
+from oeqa.runtime.decorator.package import OEHasPackage
+from import skipIfNotFeature
While this test is great to see, it only tests the case where TPM device
is only visible for the userspace of the Linux system. Exposing the TPM
device to bootloader etc requires starting it outside of qemu and
configuring qemu to expose the char device.

With poky master branch with QB_SETUP_CMD support, this can be done
in machine config with:

# setup SW based TPM for testing, note socket file path has 107 character
# length limitations from sockaddr_un
set -ex; pwd; which swtpm; swtpm --version; which swtpm_setup; \
test -d '${IMAGE_BASENAME}_swtpm' || ( mkdir -p '${IMAGE_BASENAME}_swtpm' && \
swtpm_setup --reconfigure --tpmstate '${IMAGE_BASENAME}_swtpm' --tpm2 --pcr-banks sha256 --config $(dirname $( which swtpm ) )/../../etc/swtpm_setup.conf ) && \
test -f '${IMAGE_BASENAME}_swtpm/tpm2-00.permall' && \
swtpm socket --tpmstate dir='${IMAGE_BASENAME}_swtpm' \
--ctrl type=unixio,path='${IMAGE_BASENAME}_swtpm/swtpm-sock' \
--flags startup-clear \
--log level=30 --tpm2 -t -d \
QB_OPT_APPEND += "-chardev socket,id=chrtpm,path='${IMAGE_BASENAME}_swtpm/swtpm-sock' -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis-device,tpmdev=tpm0"

In normal cases swtpm exits when client qemu machine exits. If the qemu
machines exits before it connects to the swtpm device, the swtpm process
is leaked but I haven't fixed this yet.



+class SwTpmTest(OERuntimeTestCase):
+ @classmethod
+ def setUpClass(cls):
+'mkdir /tmp/myvtpm2')
+'chown tss:root /tmp/myvtpm2')
+ @classmethod
+ def tearDownClass(cls):
+'rm -fr /tmp/myvtpm2')
+ @skipIfNotFeature('tpm2','Test tpm2_swtpm_socket requires tpm2 to be in DISTRO_FEATURES')
+ @OETestDepends(['ssh.SSHTest.test_ssh'])
+ @OEHasPackage(['swtpm'])
+ def test_swtpm2_ek_cert(self):
+ cmd = 'swtpm_setup --tpmstate /tmp/myvtpm2 --create-ek-cert --create-platform-cert --tpm2',
+ status, output =
+ self.assertEqual(status, 0, msg="swtpm create-ek-cert failed: %s" % output)

Join to automatically receive all group messages.