parsec-service: Update oeqa tests

Signed-off-by: Anton Antonov <Anton.Antonov@arm.com>
author: Anton Antonov <Anton.Antonov@arm.com> 2022-08-23 18:11:38 +0100
committer: Armin Kuster <akuster808@gmail.com> 2022-08-25 08:17:39 -0400
commit: 2753e73086c86f1065f7dace959c38d1d89fd9c5 (patch)
tree: ee602f0aa649d5816d852a4019da13f60ebc1a7c
parent: 64b64696a9deef8a6bdeacab8137b6305c4750b7 (diff)
download: meta-security-2753e73086c86f1065f7dace959c38d1d89fd9c5.tar.gz
3 files changed, 92 insertions, 16 deletions
diff --git a/meta-parsec/README.md b/meta-parsec/README.md
index f720cd2..99935bc 100644
--- a/meta-parsec/README.md
+++ b/meta-parsec/README.md
@@ -99,6 +99,7 @@ The tests are run against:
 - all providers pre-configured in the Parsec config file included in the image.
 - PKCS11 and TPM providers with software backends if softhsm and
  swtpm packages included in the image.
+- TS Provider if Parsec is built with it included.
 Meta-parsec also contains a recipe for `security-parsec-image` image with Parsec,
 softhsm and swtpm included.
@@ -214,7 +215,7 @@ systemctl start parsec
  The IBM Software TPM service can be used for manual testing of the provider by
 including it into your test image:
-    IMAGE_INSTALL:append = " ibmswtpm2 tpm2-tools libtss2 libtss2-tcti-mssim"
+    IMAGE_INSTALL:append = " swtpm tpm2-tools libtss2 libtss2-tcti-mssim"
 Inside the running VM:
 - Stop Parsec
diff --git a/meta-parsec/lib/oeqa/runtime/cases/parsec.py b/meta-parsec/lib/oeqa/runtime/cases/parsec.py
index 11e5572..6be84ba 100644
--- a/meta-parsec/lib/oeqa/runtime/cases/parsec.py
+++ b/meta-parsec/lib/oeqa/runtime/cases/parsec.py
@@ -12,12 +12,8 @@ from oeqa.core.decorator.data import skipIfNotFeature
 class ParsecTest(OERuntimeTestCase):
    @classmethod
    def setUpClass(cls):
-        cls.tc.target.run('swtpm_ioctl -s --tcp :2322')
        cls.toml_file = '/etc/parsec/config.toml'
+        cls.tc.target.run('cp -p %s %s-original' % (cls.toml_file, cls.toml_file))
-    @classmethod
-    def tearDownClass(cls):
-        cls.tc.target.run('swtpm_ioctl -s --tcp :2322')
    def setUp(self):
        super(ParsecTest, self).setUp()
@@ -40,6 +36,11 @@ class ParsecTest(OERuntimeTestCase):
        status, output = self.target.run('cat %s-%s >>%s' % (self.toml_file, provider, self.toml_file))
        os.remove(tmp_path)
+    def restore_parsec_config(self):
+        """ Restore original Parsec config """
+        self.target.run('cp -p %s-original %s' % (self.toml_file, self.toml_file))
+        self.target.run(self.parsec_reload)
    def check_parsec_providers(self, provider=None, prov_id=None):
        """ Get Parsec providers list and check for one if defined """
@@ -58,6 +59,23 @@ class ParsecTest(OERuntimeTestCase):
        status, output = self.target.run('parsec-cli-tests.sh %s' % ("-%d" % prov_id if prov_id else ""))
        self.assertEqual(status, 0, msg='Parsec CLI tests failed.\n %s' % output)
+    def check_packageconfig(self, prov):
+        """ Check that the require provider is included in Parsec """
+        if prov not in self.tc.td['PACKAGECONFIG:pn-parsec-service']:
+            self.skipTest('%s provider is not included in Parsec. Parsec PACKAGECONFIG: "%s"' % \
+                          (prov, self.tc.td['PACKAGECONFIG:pn-parsec-service']))
+    def check_packages(self, prov, packages):
+        """ Check for the required packages for Parsec providers software backends """
+        if isinstance(packages, str):
+            need_pkgs = set([packages,])
+        else:
+            need_pkgs = set(packages)
+        if not self.tc.image_packages.issuperset(need_pkgs):
+            self.skipTest('%s provider is not configured and packages "%s" are not included into the image' % \
+                          (prov, need_pkgs))
    @OEHasPackage(['parsec-service'])
    @OETestDepends(['ssh.SSHTest.test_ssh'])
    def test_all_providers(self):
@@ -84,7 +102,9 @@ class ParsecTest(OERuntimeTestCase):
                'mkdir /tmp/myvtpm',
                'swtpm socket -d --tpmstate dir=/tmp/myvtpm --tpm2 --ctrl type=tcp,port=2322 --server type=tcp,port=2321 --flags not-need-init',
                'tpm2_startup -c -T "swtpm:port=2321"',
+                'chown -R parsec /tmp/myvtpm',
                self.parsec_reload,
+                'sleep 5',
               ]
        for cmd in cmds:
@@ -92,16 +112,30 @@ class ParsecTest(OERuntimeTestCase):
            self.assertEqual(status, 0, msg='\n'.join([cmd, output]))
    @OEHasPackage(['parsec-service'])
-    @OEHasPackage(['swtpm'])
    @skipIfNotFeature('tpm2','Test parsec_tpm_provider requires tpm2 to be in DISTRO_FEATURES')
-    @OETestDepends(['ssh.SSHTest.test_ssh', 'parsec.ParsecTest.test_all_providers'])
+    @OETestDepends(['ssh.SSHTest.test_ssh'])
    def test_tpm_provider(self):
        """ Configure and test Parsec TPM provider with swtpm as a backend """
+        self.check_packageconfig("TPM")
+        reconfigure = False
        prov_id = 3
-        self.configure_tpm_provider()
+        try:
-        self.check_parsec_providers("TPM", prov_id)
+            # Chech if the provider is already configured
+            self.check_parsec_providers("TPM", prov_id)
+        except:
+            # Try to test the provider with a software backend
+            self.check_packages("TPM", ['swtpm', 'tpm2-tools'])
+            reconfigure = True
+            self.configure_tpm_provider()
+            self.check_parsec_providers("TPM", prov_id)
        self.run_cli_tests(prov_id)
+        self.restore_parsec_config()
+        if reconfigure:
+            self.target.run('swtpm_ioctl -s --tcp :2322')
    def configure_pkcs11_provider(self):
        """ Create Parsec PKCS11 provider configuration """
@@ -132,12 +166,52 @@ class ParsecTest(OERuntimeTestCase):
        self.assertEqual(status, 0, msg='Failed to reload Parsec.\n%s' % output)
    @OEHasPackage(['parsec-service'])
-    @OEHasPackage(['softhsm'])
+    @OETestDepends(['ssh.SSHTest.test_ssh'])
-    @OETestDepends(['ssh.SSHTest.test_ssh', 'parsec.ParsecTest.test_all_providers'])
    def test_pkcs11_provider(self):
        """ Configure and test Parsec PKCS11 provider with softhsm as a backend """
+        self.check_packageconfig("PKCS11")
        prov_id = 2
-        self.configure_pkcs11_provider()
+        try:
-        self.check_parsec_providers("PKCS #11", prov_id)
+            # Chech if the provider is already configured
+            self.check_parsec_providers("PKCS #11", prov_id)
+        except:
+            # Try to test the provider with a software backend
+            self.check_packages("PKCS11", 'softhsm')
+            self.configure_pkcs11_provider()
+            self.check_parsec_providers("PKCS #11", prov_id)
+        self.run_cli_tests(prov_id)
+        self.restore_parsec_config()
+    def configure_TS_provider(self):
+        """ Create Trusted Services provider configuration """
+        cfg = [
+                '',
+                '[[provider]]',
+                'name = "trusted-service-provider"',
+                'provider_type = "TrustedService"',
+                'key_info_manager = "sqlite-manager"',
+              ]
+        self.copy_subconfig(cfg, "TS")
+        status, output = self.target.run(self.parsec_reload)
+        self.assertEqual(status, 0, msg='Failed to reload Parsec.\n%s' % output)
+    @OEHasPackage(['parsec-service'])
+    @OETestDepends(['ssh.SSHTest.test_ssh'])
+    def test_TS_provider(self):
+        """ Configure and test Parsec PKCS11 provider with softhsm as a backend """
+        self.check_packageconfig("TS")
+        prov_id = 4
+        try:
+            # Chech if the provider is already configured
+            self.check_parsec_providers("Trusted Service", prov_id)
+        except:
+            self.configure_TS_provider()
+            self.check_parsec_providers("Trusted Service", prov_id)
        self.run_cli_tests(prov_id)
+        self.restore_parsec_config()
diff --git a/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb b/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb
index 2a25178..931abee 100644
--- a/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb
+++ b/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb
@@ -69,9 +69,10 @@ do_install () {
 inherit useradd
 USERADD_PACKAGES = "${PN}"
-USERADD_PARAM:${PN} = "-r -g parsec -s /bin/false -d ${localstatedir}/lib/parsec parsec"
 GROUPADD_PARAM:${PN} = "-r parsec"
-GROUPMEMS_PARAM:${PN} = "${@bb.utils.contains('PACKAGECONFIG_CONFARGS', 'tpm-provider', '-a parsec -g tss', '', d)}"
+USERADD_PARAM:${PN} = "-r -g parsec -s /bin/false -d ${localstatedir}/lib/parsec parsec"
+GROUPMEMS_PARAM:${PN} = "${@bb.utils.contains('PACKAGECONFIG_CONFARGS', 'tpm-provider', '-a parsec -g tss ;', '', d)}"
+GROUPMEMS_PARAM:${PN} += "${@bb.utils.contains('PACKAGECONFIG_CONFARGS', 'trusted-service-provider', '-a parsec -g teeclnt', '', d)}"
 FILES:${PN} += " \
    ${sysconfdir}/parsec/config.toml \
author	Anton Antonov <Anton.Antonov@arm.com>	2022-08-23 18:11:38 +0100
committer	Armin Kuster <akuster808@gmail.com>	2022-08-25 08:17:39 -0400
commit	2753e73086c86f1065f7dace959c38d1d89fd9c5 (patch)
tree	ee602f0aa649d5816d852a4019da13f60ebc1a7c
parent	64b64696a9deef8a6bdeacab8137b6305c4750b7 (diff)
download	meta-security-2753e73086c86f1065f7dace959c38d1d89fd9c5.tar.gz

diff --git a/meta-parsec/README.md b/meta-parsec/README.md index f720cd2..99935bc 100644 --- a/meta-parsec/README.md +++ b/meta-parsec/README.md
@@ -99,6 +99,7 @@ The tests are run against:
99	- all providers pre-configured in the Parsec config file included in the image.	99	- all providers pre-configured in the Parsec config file included in the image.
100	- PKCS11 and TPM providers with software backends if softhsm and	100	- PKCS11 and TPM providers with software backends if softhsm and
101	swtpm packages included in the image.	101	swtpm packages included in the image.
		102	- TS Provider if Parsec is built with it included.
102		103
103	Meta-parsec also contains a recipe for `security-parsec-image` image with Parsec,	104	Meta-parsec also contains a recipe for `security-parsec-image` image with Parsec,
104	softhsm and swtpm included.	105	softhsm and swtpm included.
@@ -214,7 +215,7 @@ systemctl start parsec
214	The IBM Software TPM service can be used for manual testing of the provider by	215	The IBM Software TPM service can be used for manual testing of the provider by
215	including it into your test image:	216	including it into your test image:
216		217
217	IMAGE_INSTALL:append = " ibmswtpm2 tpm2-tools libtss2 libtss2-tcti-mssim"	218	IMAGE_INSTALL:append = " swtpm tpm2-tools libtss2 libtss2-tcti-mssim"
218		219
219	Inside the running VM:	220	Inside the running VM:
220	- Stop Parsec	221	- Stop Parsec


diff --git a/meta-parsec/lib/oeqa/runtime/cases/parsec.py b/meta-parsec/lib/oeqa/runtime/cases/parsec.py index 11e5572..6be84ba 100644 --- a/meta-parsec/lib/oeqa/runtime/cases/parsec.py +++ b/meta-parsec/lib/oeqa/runtime/cases/parsec.py
@@ -12,12 +12,8 @@ from oeqa.core.decorator.data import skipIfNotFeature
12	class ParsecTest(OERuntimeTestCase):	12	class ParsecTest(OERuntimeTestCase):
13	@classmethod	13	@classmethod
14	def setUpClass(cls):	14	def setUpClass(cls):
15	cls.tc.target.run('swtpm_ioctl -s --tcp :2322')
16	cls.toml_file = '/etc/parsec/config.toml'	15	cls.toml_file = '/etc/parsec/config.toml'
17		16	cls.tc.target.run('cp -p %s %s-original' % (cls.toml_file, cls.toml_file))
18	@classmethod
19	def tearDownClass(cls):
20	cls.tc.target.run('swtpm_ioctl -s --tcp :2322')
21		17
22	def setUp(self):	18	def setUp(self):
23	super(ParsecTest, self).setUp()	19	super(ParsecTest, self).setUp()
@@ -40,6 +36,11 @@ class ParsecTest(OERuntimeTestCase):
40	status, output = self.target.run('cat %s-%s >>%s' % (self.toml_file, provider, self.toml_file))	36	status, output = self.target.run('cat %s-%s >>%s' % (self.toml_file, provider, self.toml_file))
41	os.remove(tmp_path)	37	os.remove(tmp_path)
42		38
		39	def restore_parsec_config(self):
		40	""" Restore original Parsec config """
		41	self.target.run('cp -p %s-original %s' % (self.toml_file, self.toml_file))
		42	self.target.run(self.parsec_reload)
		43
43	def check_parsec_providers(self, provider=None, prov_id=None):	44	def check_parsec_providers(self, provider=None, prov_id=None):
44	""" Get Parsec providers list and check for one if defined """	45	""" Get Parsec providers list and check for one if defined """
45		46
@@ -58,6 +59,23 @@ class ParsecTest(OERuntimeTestCase):
58	status, output = self.target.run('parsec-cli-tests.sh %s' % ("-%d" % prov_id if prov_id else ""))	59	status, output = self.target.run('parsec-cli-tests.sh %s' % ("-%d" % prov_id if prov_id else ""))
59	self.assertEqual(status, 0, msg='Parsec CLI tests failed.\n %s' % output)	60	self.assertEqual(status, 0, msg='Parsec CLI tests failed.\n %s' % output)
60		61
		62	def check_packageconfig(self, prov):
		63	""" Check that the require provider is included in Parsec """
		64	if prov not in self.tc.td['PACKAGECONFIG:pn-parsec-service']:
		65	self.skipTest('%s provider is not included in Parsec. Parsec PACKAGECONFIG: "%s"' % \
		66	(prov, self.tc.td['PACKAGECONFIG:pn-parsec-service']))
		67
		68	def check_packages(self, prov, packages):
		69	""" Check for the required packages for Parsec providers software backends """
		70	if isinstance(packages, str):
		71	need_pkgs = set([packages,])
		72	else:
		73	need_pkgs = set(packages)
		74
		75	if not self.tc.image_packages.issuperset(need_pkgs):
		76	self.skipTest('%s provider is not configured and packages "%s" are not included into the image' % \
		77	(prov, need_pkgs))
		78
61	@OEHasPackage(['parsec-service'])	79	@OEHasPackage(['parsec-service'])
62	@OETestDepends(['ssh.SSHTest.test_ssh'])	80	@OETestDepends(['ssh.SSHTest.test_ssh'])
63	def test_all_providers(self):	81	def test_all_providers(self):
@@ -84,7 +102,9 @@ class ParsecTest(OERuntimeTestCase):
84	'mkdir /tmp/myvtpm',	102	'mkdir /tmp/myvtpm',
85	'swtpm socket -d --tpmstate dir=/tmp/myvtpm --tpm2 --ctrl type=tcp,port=2322 --server type=tcp,port=2321 --flags not-need-init',	103	'swtpm socket -d --tpmstate dir=/tmp/myvtpm --tpm2 --ctrl type=tcp,port=2322 --server type=tcp,port=2321 --flags not-need-init',
86	'tpm2_startup -c -T "swtpm:port=2321"',	104	'tpm2_startup -c -T "swtpm:port=2321"',
		105	'chown -R parsec /tmp/myvtpm',
87	self.parsec_reload,	106	self.parsec_reload,
		107	'sleep 5',
88	]	108	]
89		109
90	for cmd in cmds:	110	for cmd in cmds:
@@ -92,16 +112,30 @@ class ParsecTest(OERuntimeTestCase):
92	self.assertEqual(status, 0, msg='\n'.join([cmd, output]))	112	self.assertEqual(status, 0, msg='\n'.join([cmd, output]))
93		113
94	@OEHasPackage(['parsec-service'])	114	@OEHasPackage(['parsec-service'])
95	@OEHasPackage(['swtpm'])
96	@skipIfNotFeature('tpm2','Test parsec_tpm_provider requires tpm2 to be in DISTRO_FEATURES')	115	@skipIfNotFeature('tpm2','Test parsec_tpm_provider requires tpm2 to be in DISTRO_FEATURES')
97	@OETestDepends(['ssh.SSHTest.test_ssh', 'parsec.ParsecTest.test_all_providers'])	116	@OETestDepends(['ssh.SSHTest.test_ssh'])
98	def test_tpm_provider(self):	117	def test_tpm_provider(self):
99	""" Configure and test Parsec TPM provider with swtpm as a backend """	118	""" Configure and test Parsec TPM provider with swtpm as a backend """
100		119
		120	self.check_packageconfig("TPM")
		121
		122	reconfigure = False
101	prov_id = 3	123	prov_id = 3
102	self.configure_tpm_provider()	124	try:
103	self.check_parsec_providers("TPM", prov_id)	125	# Chech if the provider is already configured
		126	self.check_parsec_providers("TPM", prov_id)
		127	except:
		128	# Try to test the provider with a software backend
		129	self.check_packages("TPM", ['swtpm', 'tpm2-tools'])
		130	reconfigure = True
		131	self.configure_tpm_provider()
		132	self.check_parsec_providers("TPM", prov_id)
		133
104	self.run_cli_tests(prov_id)	134	self.run_cli_tests(prov_id)
		135	self.restore_parsec_config()
		136
		137	if reconfigure:
		138	self.target.run('swtpm_ioctl -s --tcp :2322')
105		139
106	def configure_pkcs11_provider(self):	140	def configure_pkcs11_provider(self):
107	""" Create Parsec PKCS11 provider configuration """	141	""" Create Parsec PKCS11 provider configuration """
@@ -132,12 +166,52 @@ class ParsecTest(OERuntimeTestCase):
132	self.assertEqual(status, 0, msg='Failed to reload Parsec.\n%s' % output)	166	self.assertEqual(status, 0, msg='Failed to reload Parsec.\n%s' % output)
133		167
134	@OEHasPackage(['parsec-service'])	168	@OEHasPackage(['parsec-service'])
135	@OEHasPackage(['softhsm'])	169	@OETestDepends(['ssh.SSHTest.test_ssh'])
136	@OETestDepends(['ssh.SSHTest.test_ssh', 'parsec.ParsecTest.test_all_providers'])
137	def test_pkcs11_provider(self):	170	def test_pkcs11_provider(self):
138	""" Configure and test Parsec PKCS11 provider with softhsm as a backend """	171	""" Configure and test Parsec PKCS11 provider with softhsm as a backend """
139		172
		173	self.check_packageconfig("PKCS11")
140	prov_id = 2	174	prov_id = 2
141	self.configure_pkcs11_provider()	175	try:
142	self.check_parsec_providers("PKCS #11", prov_id)	176	# Chech if the provider is already configured
		177	self.check_parsec_providers("PKCS #11", prov_id)
		178	except:
		179	# Try to test the provider with a software backend
		180	self.check_packages("PKCS11", 'softhsm')
		181	self.configure_pkcs11_provider()
		182	self.check_parsec_providers("PKCS #11", prov_id)
		183
		184	self.run_cli_tests(prov_id)
		185	self.restore_parsec_config()
		186
		187	def configure_TS_provider(self):
		188	""" Create Trusted Services provider configuration """
		189
		190	cfg = [
		191	'',
		192	'[[provider]]',
		193	'name = "trusted-service-provider"',
		194	'provider_type = "TrustedService"',
		195	'key_info_manager = "sqlite-manager"',
		196	]
		197	self.copy_subconfig(cfg, "TS")
		198
		199	status, output = self.target.run(self.parsec_reload)
		200	self.assertEqual(status, 0, msg='Failed to reload Parsec.\n%s' % output)
		201
		202	@OEHasPackage(['parsec-service'])
		203	@OETestDepends(['ssh.SSHTest.test_ssh'])
		204	def test_TS_provider(self):
		205	""" Configure and test Parsec PKCS11 provider with softhsm as a backend """
		206
		207	self.check_packageconfig("TS")
		208	prov_id = 4
		209	try:
		210	# Chech if the provider is already configured
		211	self.check_parsec_providers("Trusted Service", prov_id)
		212	except:
		213	self.configure_TS_provider()
		214	self.check_parsec_providers("Trusted Service", prov_id)
		215
143	self.run_cli_tests(prov_id)	216	self.run_cli_tests(prov_id)
		217	self.restore_parsec_config()


diff --git a/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb b/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb index 2a25178..931abee 100644 --- a/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb +++ b/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb
@@ -69,9 +69,10 @@ do_install () {
69		69
70	inherit useradd	70	inherit useradd
71	USERADD_PACKAGES = "${PN}"	71	USERADD_PACKAGES = "${PN}"
72	USERADD_PARAM:${PN} = "-r -g parsec -s /bin/false -d ${localstatedir}/lib/parsec parsec"
73	GROUPADD_PARAM:${PN} = "-r parsec"	72	GROUPADD_PARAM:${PN} = "-r parsec"
74	GROUPMEMS_PARAM:${PN} = "${@bb.utils.contains('PACKAGECONFIG_CONFARGS', 'tpm-provider', '-a parsec -g tss', '', d)}"	73	USERADD_PARAM:${PN} = "-r -g parsec -s /bin/false -d ${localstatedir}/lib/parsec parsec"
		74	GROUPMEMS_PARAM:${PN} = "${@bb.utils.contains('PACKAGECONFIG_CONFARGS', 'tpm-provider', '-a parsec -g tss ;', '', d)}"
		75	GROUPMEMS_PARAM:${PN} += "${@bb.utils.contains('PACKAGECONFIG_CONFARGS', 'trusted-service-provider', '-a parsec -g teeclnt', '', d)}"
75		76
76	FILES:${PN} += " \	77	FILES:${PN} += " \
77	${sysconfdir}/parsec/config.toml \	78	${sysconfdir}/parsec/config.toml \