summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAnton Antonov <Anton.Antonov@arm.com>2022-05-24 19:05:41 +0100
committerArmin Kuster <akuster808@gmail.com>2022-05-26 16:09:42 -0700
commit7628a3e90b6c51f64fd80ab2180885da4a37412f (patch)
treef39fb5fd2b42f1c208b4a61440f5cf1a95deb272
parentddd4b13ea0e1f0af8d5404fa265c37cd8359865f (diff)
downloadmeta-security-7628a3e90b6c51f64fd80ab2180885da4a37412f.tar.gz
meta-parsec: Update Parsec runtime tests
Signed-off-by: Anton Antonov <Anton.Antonov@arm.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r--meta-parsec/README.md65
-rw-r--r--meta-parsec/lib/oeqa/runtime/cases/parsec.py135
-rw-r--r--meta-parsec/recipes-core/images/security-parsec-image.bb5
-rw-r--r--meta-parsec/recipes-core/packagegroups/packagegroup-security-parsec.bb1
-rw-r--r--meta-tpm/classes/sanity-meta-tpm.bbclass4
5 files changed, 191 insertions, 19 deletions
diff --git a/meta-parsec/README.md b/meta-parsec/README.md
index 97026ea..f720cd2 100644
--- a/meta-parsec/README.md
+++ b/meta-parsec/README.md
@@ -88,6 +88,71 @@ https://github.com/meta-rust/cargo-bitbake
882. Run cargo-bitbake inside the repository. It will produce a BB file. 882. Run cargo-bitbake inside the repository. It will produce a BB file.
893. Create a new include file with SRC_URI and LIC_FILES_CHKSUM from the BB file. 893. Create a new include file with SRC_URI and LIC_FILES_CHKSUM from the BB file.
90 90
91Automated Parsec testing with runqemu
92=====================================
93
94 The Yocto build system has the ability to run a series of automated tests for qemu images.
95All the tests are actually commands run on the target system over ssh.
96
97 Meta-parsec includes automated unittests which run end to end Parsec tests.
98The tests are run against:
99- all providers pre-configured in the Parsec config file included in the image.
100- PKCS11 and TPM providers with software backends if softhsm and
101 swtpm packages included in the image.
102
103Meta-parsec also contains a recipe for `security-parsec-image` image with Parsec,
104softhsm and swtpm included.
105
106 Please notice that the account you use to run bitbake should have access to `/dev/kvm`.
107You might need to change permissions or add the account into `kvm` unix group.
108
1091. Testing Parsec with your own image where `parsec-service` and `parsec-tool` are already included.
110
111- Add into your `local.conf`:
112```
113INHERIT += "testimage"
114TEST_SUITES = "ping ssh parsec"
115```
116- Build your image
117```bash
118bitbake <your-image>
119```
120- Run tests
121```bash
122bitbake <your-image> -c testimage
123```
124
1252. Testing Parsec with pre-defined `security-parsec-image` image.
126
127- Add into your `local.conf`:
128```
129DISTRO_FEATURES += " tpm2"
130INHERIT += "testimage"
131TEST_SUITES = "ping ssh parsec"
132```
133- Build security-parsec-image image
134```bash
135bitbake security-parsec-image
136```
137- Run tests
138```bash
139bitbake security-parsec-image -c testimage
140```
141
142Output of a successfull tests run should look similar to:
143```
144RESULTS:
145RESULTS - ping.PingTest.test_ping: PASSED (0.05s)
146RESULTS - ssh.SSHTest.test_ssh: PASSED (0.25s)
147RESULTS - parsec.ParsecTest.test_all_providers: PASSED (1.84s)
148RESULTS - parsec.ParsecTest.test_pkcs11_provider: PASSED (2.91s)
149RESULTS - parsec.ParsecTest.test_tpm_provider: PASSED (3.33s)
150SUMMARY:
151security-parsec-image () - Ran 5 tests in 8.386s
152security-parsec-image - OK - All required tests passed (successes=5, skipped=0, failures=0, errors=0)
153```
154
155
91Manual testing with runqemu 156Manual testing with runqemu
92=========================== 157===========================
93 158
diff --git a/meta-parsec/lib/oeqa/runtime/cases/parsec.py b/meta-parsec/lib/oeqa/runtime/cases/parsec.py
index 547f74c..d3d3f2e 100644
--- a/meta-parsec/lib/oeqa/runtime/cases/parsec.py
+++ b/meta-parsec/lib/oeqa/runtime/cases/parsec.py
@@ -1,33 +1,138 @@
1# Copyright (C) 2022 Armin Kuster <akuster808@gmail.com> 1# Copyright (C) 2022 Armin Kuster <akuster808@gmail.com>
2# Copyright (C) 2022 Anton Antonov <Anton.Antonov@arm.com>
2# 3#
3import re 4import re
5from tempfile import mkstemp
4 6
5from oeqa.runtime.case import OERuntimeTestCase 7from oeqa.runtime.case import OERuntimeTestCase
6from oeqa.core.decorator.depends import OETestDepends 8from oeqa.core.decorator.depends import OETestDepends
7from oeqa.runtime.decorator.package import OEHasPackage 9from oeqa.runtime.decorator.package import OEHasPackage
10from oeqa.core.decorator.data import skipIfNotFeature
8 11
9class ParsecTest(OERuntimeTestCase): 12class ParsecTest(OERuntimeTestCase):
13 @classmethod
14 def setUpClass(cls):
15 cls.toml_file = '/etc/parsec/config.toml'
16
17 def setUp(self):
18 super(ParsecTest, self).setUp()
19 if 'systemd' in self.tc.td['DISTRO_FEATURES']:
20 self.parsec_status='systemctl status -l parsec'
21 self.parsec_reload='systemctl restart parsec'
22 else:
23 self.parsec_status='pgrep -l parsec'
24 self.parsec_reload='/etc/init.d/parsec reload'
25
26 def copy_subconfig(self, cfg, provider):
27 """ Copy a provider configuration to target and append it to Parsec config """
28
29 tmp_fd, tmp_path = mkstemp()
30 with os.fdopen(tmp_fd, 'w') as f:
31 f.write('\n'.join(cfg))
32
33 (status, output) = self.target.copyTo(tmp_path, "%s-%s" % (self.toml_file, provider))
34 self.assertEqual(status, 0, msg='File could not be copied.\n%s' % output)
35 status, output = self.target.run('cat %s-%s >>%s' % (self.toml_file, provider, self.toml_file))
36 os.remove(tmp_path)
37
38 def check_parsec_providers(self, provider=None, prov_id=None):
39 """ Get Parsec providers list and check for one if defined """
40
41 status, output = self.target.run(self.parsec_status)
42 self.assertEqual(status, 0, msg='Parsec service is not running.\n%s' % output)
43
44 status, output = self.target.run('parsec-tool list-providers')
45 self.assertEqual(status, 0, msg='Cannot get a list of Parsec providers.\n%s' % output)
46 if provider and prov_id:
47 self.assertIn("ID: 0x0%d (%s provider)" % (prov_id, provider),
48 output, msg='%s provider is not configured.' % provider)
49
50 def run_cli_tests(self, prov_id=None):
51 """ Run Parsec CLI end-to-end tests against one or all providers """
52
53 status, output = self.target.run('parsec-cli-tests.sh %s' % ("-%d" % prov_id if prov_id else ""))
54 self.assertEqual(status, 0, msg='Parsec CLI tests failed.\n %s' % output)
55
10 @OEHasPackage(['parsec-service']) 56 @OEHasPackage(['parsec-service'])
11 @OETestDepends(['ssh.SSHTest.test_ssh']) 57 @OETestDepends(['ssh.SSHTest.test_ssh'])
12 def test_parsec_service(self): 58 def test_all_providers(self):
13 toml_file = '/etc/parsec/config.tom' 59 """ Test Parsec service with all pre-defined providers """
14 status, output = self.target.run('echo library_path = "/usr/lib/softhsm/libsofthsm2.so" >> %s' %(toml_file)) 60
15 status, output = self.target.run('echo slot_number = 0 >> %s' %(toml_file)) 61 self.check_parsec_providers()
16 status, output = self.target.run('echo user_pin = "123456" >> %s' %(toml_file)) 62 self.run_cli_tests()
63
64 def configure_tpm_provider(self):
65 """ Create Parsec TPM provider configuration """
66
67 cfg = [
68 '',
69 '[[provider]]',
70 'name = "tpm-provider"',
71 'provider_type = "Tpm"',
72 'key_info_manager = "sqlite-manager"',
73 'tcti = "swtpm:port=2321"',
74 'owner_hierarchy_auth = ""',
75 ]
76 self.copy_subconfig(cfg, "TPM")
77
17 cmds = [ 78 cmds = [
18 '/etc/init.d/parsec stop',
19 'sleep 5',
20 'softhsm2-util --init-token --slot 0 --label "Parsec Service" --pin 123456 --so-pin 123456',
21 'for d in /var/lib/softhsm/tokens/*; do chown -R parsec $d; done',
22 'mkdir /tmp/myvtpm', 79 'mkdir /tmp/myvtpm',
23 'swtpm socket --tpmstate dir=/tmp/myvtpm --tpm2 --ctrl type=tcp,port=2322 --server type=tcp,port=2321 --flags not-need-init &', 80 'swtpm socket -d --tpmstate dir=/tmp/myvtpm --tpm2 --ctrl type=tcp,port=2322 --server type=tcp,port=2321 --flags not-need-init',
24 'export TPM2TOOLS_TCTI="swtpm:port=2321"', 81 'tpm2_startup -c -T "swtpm:port=2321"',
25 'tpm2_startup -c', 82 self.parsec_reload,
26 'sleep 2',
27 '/etc/init.d/parsec start',
28 'parsec-cli-tests.sh'
29 ] 83 ]
30 84
31 for cmd in cmds: 85 for cmd in cmds:
32 status, output = self.target.run(cmd) 86 status, output = self.target.run(cmd)
33 self.assertEqual(status, 0, msg='\n'.join([cmd, output])) 87 self.assertEqual(status, 0, msg='\n'.join([cmd, output]))
88
89 @OEHasPackage(['parsec-service'])
90 @OEHasPackage(['swtpm'])
91 @skipIfNotFeature('tpm2','Test parsec_tpm_provider requires tpm2 to be in DISTRO_FEATURES')
92 @OETestDepends(['ssh.SSHTest.test_ssh', 'parsec.ParsecTest.test_all_providers'])
93 def test_tpm_provider(self):
94 """ Configure and test Parsec TPM provider with swtpm as a backend """
95
96 prov_id = 3
97 self.configure_tpm_provider()
98 self.check_parsec_providers("TPM", prov_id)
99 self.run_cli_tests(prov_id)
100
101 def configure_pkcs11_provider(self):
102 """ Create Parsec PKCS11 provider configuration """
103
104 status, output = self.target.run('softhsm2-util --init-token --free --label "Parsec Service" --pin 123456 --so-pin 123456')
105 self.assertEqual(status, 0, msg='Failed to init PKCS11 token.\n%s' % output)
106
107 slot = re.search('The token has been initialized and is reassigned to slot (\d*)', output)
108 if slot is None:
109 self.fail('Failed to get PKCS11 slot serial number.\n%s' % output)
110 self.assertNotEqual(slot.group(1), None, msg='Failed to get PKCS11 slot serial number.\n%s' % output)
111
112 cfg = [
113 '',
114 '[[provider]]',
115 'name = "pkcs11-provider"',
116 'provider_type = "Pkcs11"',
117 'key_info_manager = "sqlite-manager"',
118 'library_path = "/usr/lib/softhsm/libsofthsm2.so"',
119 'slot_number = %s' % slot.group(1),
120 'user_pin = "123456"',
121 'allow_export = true',
122 ]
123 self.copy_subconfig(cfg, "PKCS11")
124
125 status, output = self.target.run('for d in /var/lib/softhsm/tokens/*; do chown -R parsec $d; done')
126 status, output = self.target.run(self.parsec_reload)
127 self.assertEqual(status, 0, msg='Failed to reload Parsec.\n%s' % output)
128
129 @OEHasPackage(['parsec-service'])
130 @OEHasPackage(['softhsm'])
131 @OETestDepends(['ssh.SSHTest.test_ssh', 'parsec.ParsecTest.test_all_providers'])
132 def test_pkcs11_provider(self):
133 """ Configure and test Parsec PKCS11 provider with softhsm as a backend """
134
135 prov_id = 2
136 self.configure_pkcs11_provider()
137 self.check_parsec_providers("PKCS #11", prov_id)
138 self.run_cli_tests(prov_id)
diff --git a/meta-parsec/recipes-core/images/security-parsec-image.bb b/meta-parsec/recipes-core/images/security-parsec-image.bb
index 2ddc543..7add74b 100644
--- a/meta-parsec/recipes-core/images/security-parsec-image.bb
+++ b/meta-parsec/recipes-core/images/security-parsec-image.bb
@@ -1,4 +1,4 @@
1DESCRIPTION = "A small image for building meta-parsec packages" 1DESCRIPTION = "A small image for testing Parsec service with MbedCrypto, TPM and PKCS11 providers"
2 2
3inherit core-image 3inherit core-image
4 4
@@ -10,7 +10,8 @@ IMAGE_INSTALL = "\
10 packagegroup-security-tpm2 \ 10 packagegroup-security-tpm2 \
11 packagegroup-security-parsec \ 11 packagegroup-security-parsec \
12 swtpm \ 12 swtpm \
13 os-release" 13 softhsm \
14 os-release"
14 15
15export IMAGE_BASENAME = "security-parsec-image" 16export IMAGE_BASENAME = "security-parsec-image"
16 17
diff --git a/meta-parsec/recipes-core/packagegroups/packagegroup-security-parsec.bb b/meta-parsec/recipes-core/packagegroups/packagegroup-security-parsec.bb
index b6c4f59..0af9c3d 100644
--- a/meta-parsec/recipes-core/packagegroups/packagegroup-security-parsec.bb
+++ b/meta-parsec/recipes-core/packagegroups/packagegroup-security-parsec.bb
@@ -11,7 +11,6 @@ PACKAGES = "\
11 11
12SUMMARY:packagegroup-security-parsec = "Security Parsec" 12SUMMARY:packagegroup-security-parsec = "Security Parsec"
13RDEPENDS:packagegroup-security-parsec = "\ 13RDEPENDS:packagegroup-security-parsec = "\
14 softhsm \
15 parsec-tool \ 14 parsec-tool \
16 parsec-service \ 15 parsec-service \
17 " 16 "
diff --git a/meta-tpm/classes/sanity-meta-tpm.bbclass b/meta-tpm/classes/sanity-meta-tpm.bbclass
index 2f8b52d..1ab03c8 100644
--- a/meta-tpm/classes/sanity-meta-tpm.bbclass
+++ b/meta-tpm/classes/sanity-meta-tpm.bbclass
@@ -2,7 +2,9 @@ addhandler tpm_machinecheck
2tpm_machinecheck[eventmask] = "bb.event.SanityCheck" 2tpm_machinecheck[eventmask] = "bb.event.SanityCheck"
3python tpm_machinecheck() { 3python tpm_machinecheck() {
4 skip_check = e.data.getVar('SKIP_META_TPM_SANITY_CHECK') == "1" 4 skip_check = e.data.getVar('SKIP_META_TPM_SANITY_CHECK') == "1"
5 if 'tpm' not in e.data.getVar('DISTRO_FEATURES').split() and not skip_check: 5 if 'tpm' not in e.data.getVar('DISTRO_FEATURES').split() and \
6 'tpm2' not in e.data.getVar('DISTRO_FEATURES').split() and \
7 not skip_check:
6 bb.warn("You have included the meta-tpm layer, but \ 8 bb.warn("You have included the meta-tpm layer, but \
7'tpm or tpm2' has not been enabled in your DISTRO_FEATURES. Some bbappend files \ 9'tpm or tpm2' has not been enabled in your DISTRO_FEATURES. Some bbappend files \
8and preferred version setting may not take effect. See the meta-tpm README \ 10and preferred version setting may not take effect. See the meta-tpm README \