diff options
| author | Patrick Ohly <patrick.ohly@intel.com> | 2017-02-03 09:46:13 +0100 |
|---|---|---|
| committer | Armin Kuster <akuster808@gmail.com> | 2017-02-18 11:43:20 -0800 |
| commit | 6cf0415d8a3553353ec2e8ddbf85d80604a7c5a8 (patch) | |
| tree | f2be662e45bea82a089b520b0752354d6e472255 | |
| parent | 520b3a44e09d5c962772488f14308db084fc2fbc (diff) | |
| download | meta-security-6cf0415d8a3553353ec2e8ddbf85d80604a7c5a8.tar.gz | |
swtpm-wrappers: simplify using swtpm-native
Native tools exist in recipe specific sysroots and are normally
not meant to be called from outside a build. But that's what we
need to do when using swtpm-native together with qemu, so these
wrappers make that possible by setting up the necessary environment
and hiding the internal paths.
Invoking swtpm_setup.sh gets some special support: swtpm_setup.sh runs
two daemons, tcsd and swtpm, of which tcsd insists on running as root
or tss. In practice, running as the normal user is perfectly
fine. Instead of patching the upstream source code, the approach take
here is to run under pseudo.
Usage examples:
$ bitbake swtpm-wrappers
$ mkdir -p my-machine/myvtpm0
$ tmp-glibc/work/x86_64-linux/swtpm-wrappers/1.0-r0/swtpm_setup_oe.sh --tpm-state my-machine/myvtpm0
Starting vTPM manufacturing as root:root @ Mon 16 Jan 2017 04:09:21 PM CET
TPM is listening on TCP port 55675.
-rw------- 1 root root 65 Jan 16 16:09 /tmp/tmp.2yJBKTTwRk
Ending vTPM manufacturing @ Mon 16 Jan 2017 04:09:21 PM CET
The resulting "my-machine/myvtpm0" can then be used with swtpm (this
time, it really has to be running as root because it uses CUSE to
create /dev/vtpm0, and an absolute path is needed for the tpm state
dir) and qemu-tpm (patches not currently in OE-core, have to be
applied manually):
$ sudo tmp-glibc/work/x86_64-linux/swtpm-wrappers/1.0-r0/swtpm_cuse_oe.sh -n vtpm0 --tpmstate dir=`pwd`/my-machine/myvtpm0
$ sudo chmod a+rw /dev/vtpm0
$ runqemu ... 'qemuparams=-tpmdev cuse-tpm,id=tpm0,path=/dev/vtpm0 -device tpm-tis,tpmdev=tpm0'
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
| -rw-r--r-- | recipes-tpm/swtpm/swtpm-wrappers.bb | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/recipes-tpm/swtpm/swtpm-wrappers.bb b/recipes-tpm/swtpm/swtpm-wrappers.bb new file mode 100644 index 0000000..676c35e --- /dev/null +++ b/recipes-tpm/swtpm/swtpm-wrappers.bb | |||
| @@ -0,0 +1,41 @@ | |||
| 1 | SUMMARY = "SWTPM - OpenEmbedded wrapper scripts for native swtpm tools" | ||
| 2 | LICENSE = "MIT" | ||
| 3 | DEPENDS = "swtpm-native tpm-tools-native" | ||
| 4 | |||
| 5 | inherit native | ||
| 6 | |||
| 7 | # The whole point of the recipe is to make files available | ||
| 8 | # for use after the build is done, so don't clean up... | ||
| 9 | RM_WORK_EXCLUDE += "${PN}" | ||
| 10 | |||
| 11 | do_create_wrapper () { | ||
| 12 | cat >${WORKDIR}/swtpm_setup_oe.sh <<EOF | ||
| 13 | #! /bin/sh | ||
| 14 | # | ||
| 15 | # Wrapper around swtpm_setup.sh which adds parameters required to | ||
| 16 | # run the setup as non-root directly from the native sysroot. | ||
| 17 | |||
| 18 | PATH="${bindir}:${base_bindir}:${sbindir}:${base_sbindir}:\$PATH" | ||
| 19 | export PATH | ||
| 20 | |||
| 21 | # tcsd only allows to be run as root or tss. Pretend to be root... | ||
| 22 | exec env ${FAKEROOTENV} ${FAKEROOTCMD} swtpm_setup.sh --config ${STAGING_DIR_NATIVE}/etc/swtpm_setup.conf "\$@" | ||
| 23 | EOF | ||
| 24 | |||
| 25 | cat >${WORKDIR}/swtpm_cuse_oe.sh <<EOF | ||
| 26 | #! /bin/sh | ||
| 27 | # | ||
| 28 | # Wrapper around swtpm_cuse which makes it easier to invoke | ||
| 29 | # the right binary. Has to be run as root with TPM_PATH set | ||
| 30 | # to a directory initialized as virtual TPM by swtpm_setup_oe.sh. | ||
| 31 | |||
| 32 | PATH="${bindir}:${base_bindir}:${sbindir}:${base_sbindir}:\$PATH" | ||
| 33 | export PATH | ||
| 34 | |||
| 35 | exec swtpm_cuse "\$@" | ||
| 36 | EOF | ||
| 37 | |||
| 38 | chmod a+rx ${WORKDIR}/*.sh | ||
| 39 | } | ||
| 40 | |||
| 41 | addtask do_create_wrapper before do_build after do_prepare_recipe_sysroot | ||