diff options
author | Anton Antonov <Anton.Antonov@arm.com> | 2022-05-24 19:05:41 +0100 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2022-05-26 16:09:42 -0700 |
commit | 7628a3e90b6c51f64fd80ab2180885da4a37412f (patch) | |
tree | f39fb5fd2b42f1c208b4a61440f5cf1a95deb272 | |
parent | ddd4b13ea0e1f0af8d5404fa265c37cd8359865f (diff) | |
download | meta-security-7628a3e90b6c51f64fd80ab2180885da4a37412f.tar.gz |
meta-parsec: Update Parsec runtime tests
Signed-off-by: Anton Antonov <Anton.Antonov@arm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r-- | meta-parsec/README.md | 65 | ||||
-rw-r--r-- | meta-parsec/lib/oeqa/runtime/cases/parsec.py | 135 | ||||
-rw-r--r-- | meta-parsec/recipes-core/images/security-parsec-image.bb | 5 | ||||
-rw-r--r-- | meta-parsec/recipes-core/packagegroups/packagegroup-security-parsec.bb | 1 | ||||
-rw-r--r-- | meta-tpm/classes/sanity-meta-tpm.bbclass | 4 |
5 files changed, 191 insertions, 19 deletions
diff --git a/meta-parsec/README.md b/meta-parsec/README.md index 97026ea..f720cd2 100644 --- a/meta-parsec/README.md +++ b/meta-parsec/README.md | |||
@@ -88,6 +88,71 @@ https://github.com/meta-rust/cargo-bitbake | |||
88 | 2. Run cargo-bitbake inside the repository. It will produce a BB file. | 88 | 2. Run cargo-bitbake inside the repository. It will produce a BB file. |
89 | 3. Create a new include file with SRC_URI and LIC_FILES_CHKSUM from the BB file. | 89 | 3. Create a new include file with SRC_URI and LIC_FILES_CHKSUM from the BB file. |
90 | 90 | ||
91 | Automated Parsec testing with runqemu | ||
92 | ===================================== | ||
93 | |||
94 | The Yocto build system has the ability to run a series of automated tests for qemu images. | ||
95 | All the tests are actually commands run on the target system over ssh. | ||
96 | |||
97 | Meta-parsec includes automated unittests which run end to end Parsec tests. | ||
98 | The tests are run against: | ||
99 | - all providers pre-configured in the Parsec config file included in the image. | ||
100 | - PKCS11 and TPM providers with software backends if softhsm and | ||
101 | swtpm packages included in the image. | ||
102 | |||
103 | Meta-parsec also contains a recipe for `security-parsec-image` image with Parsec, | ||
104 | softhsm and swtpm included. | ||
105 | |||
106 | Please notice that the account you use to run bitbake should have access to `/dev/kvm`. | ||
107 | You might need to change permissions or add the account into `kvm` unix group. | ||
108 | |||
109 | 1. Testing Parsec with your own image where `parsec-service` and `parsec-tool` are already included. | ||
110 | |||
111 | - Add into your `local.conf`: | ||
112 | ``` | ||
113 | INHERIT += "testimage" | ||
114 | TEST_SUITES = "ping ssh parsec" | ||
115 | ``` | ||
116 | - Build your image | ||
117 | ```bash | ||
118 | bitbake <your-image> | ||
119 | ``` | ||
120 | - Run tests | ||
121 | ```bash | ||
122 | bitbake <your-image> -c testimage | ||
123 | ``` | ||
124 | |||
125 | 2. Testing Parsec with pre-defined `security-parsec-image` image. | ||
126 | |||
127 | - Add into your `local.conf`: | ||
128 | ``` | ||
129 | DISTRO_FEATURES += " tpm2" | ||
130 | INHERIT += "testimage" | ||
131 | TEST_SUITES = "ping ssh parsec" | ||
132 | ``` | ||
133 | - Build security-parsec-image image | ||
134 | ```bash | ||
135 | bitbake security-parsec-image | ||
136 | ``` | ||
137 | - Run tests | ||
138 | ```bash | ||
139 | bitbake security-parsec-image -c testimage | ||
140 | ``` | ||
141 | |||
142 | Output of a successfull tests run should look similar to: | ||
143 | ``` | ||
144 | RESULTS: | ||
145 | RESULTS - ping.PingTest.test_ping: PASSED (0.05s) | ||
146 | RESULTS - ssh.SSHTest.test_ssh: PASSED (0.25s) | ||
147 | RESULTS - parsec.ParsecTest.test_all_providers: PASSED (1.84s) | ||
148 | RESULTS - parsec.ParsecTest.test_pkcs11_provider: PASSED (2.91s) | ||
149 | RESULTS - parsec.ParsecTest.test_tpm_provider: PASSED (3.33s) | ||
150 | SUMMARY: | ||
151 | security-parsec-image () - Ran 5 tests in 8.386s | ||
152 | security-parsec-image - OK - All required tests passed (successes=5, skipped=0, failures=0, errors=0) | ||
153 | ``` | ||
154 | |||
155 | |||
91 | Manual testing with runqemu | 156 | Manual testing with runqemu |
92 | =========================== | 157 | =========================== |
93 | 158 | ||
diff --git a/meta-parsec/lib/oeqa/runtime/cases/parsec.py b/meta-parsec/lib/oeqa/runtime/cases/parsec.py index 547f74c..d3d3f2e 100644 --- a/meta-parsec/lib/oeqa/runtime/cases/parsec.py +++ b/meta-parsec/lib/oeqa/runtime/cases/parsec.py | |||
@@ -1,33 +1,138 @@ | |||
1 | # Copyright (C) 2022 Armin Kuster <akuster808@gmail.com> | 1 | # Copyright (C) 2022 Armin Kuster <akuster808@gmail.com> |
2 | # Copyright (C) 2022 Anton Antonov <Anton.Antonov@arm.com> | ||
2 | # | 3 | # |
3 | import re | 4 | import re |
5 | from tempfile import mkstemp | ||
4 | 6 | ||
5 | from oeqa.runtime.case import OERuntimeTestCase | 7 | from oeqa.runtime.case import OERuntimeTestCase |
6 | from oeqa.core.decorator.depends import OETestDepends | 8 | from oeqa.core.decorator.depends import OETestDepends |
7 | from oeqa.runtime.decorator.package import OEHasPackage | 9 | from oeqa.runtime.decorator.package import OEHasPackage |
10 | from oeqa.core.decorator.data import skipIfNotFeature | ||
8 | 11 | ||
9 | class ParsecTest(OERuntimeTestCase): | 12 | class ParsecTest(OERuntimeTestCase): |
13 | @classmethod | ||
14 | def setUpClass(cls): | ||
15 | cls.toml_file = '/etc/parsec/config.toml' | ||
16 | |||
17 | def setUp(self): | ||
18 | super(ParsecTest, self).setUp() | ||
19 | if 'systemd' in self.tc.td['DISTRO_FEATURES']: | ||
20 | self.parsec_status='systemctl status -l parsec' | ||
21 | self.parsec_reload='systemctl restart parsec' | ||
22 | else: | ||
23 | self.parsec_status='pgrep -l parsec' | ||
24 | self.parsec_reload='/etc/init.d/parsec reload' | ||
25 | |||
26 | def copy_subconfig(self, cfg, provider): | ||
27 | """ Copy a provider configuration to target and append it to Parsec config """ | ||
28 | |||
29 | tmp_fd, tmp_path = mkstemp() | ||
30 | with os.fdopen(tmp_fd, 'w') as f: | ||
31 | f.write('\n'.join(cfg)) | ||
32 | |||
33 | (status, output) = self.target.copyTo(tmp_path, "%s-%s" % (self.toml_file, provider)) | ||
34 | self.assertEqual(status, 0, msg='File could not be copied.\n%s' % output) | ||
35 | status, output = self.target.run('cat %s-%s >>%s' % (self.toml_file, provider, self.toml_file)) | ||
36 | os.remove(tmp_path) | ||
37 | |||
38 | def check_parsec_providers(self, provider=None, prov_id=None): | ||
39 | """ Get Parsec providers list and check for one if defined """ | ||
40 | |||
41 | status, output = self.target.run(self.parsec_status) | ||
42 | self.assertEqual(status, 0, msg='Parsec service is not running.\n%s' % output) | ||
43 | |||
44 | status, output = self.target.run('parsec-tool list-providers') | ||
45 | self.assertEqual(status, 0, msg='Cannot get a list of Parsec providers.\n%s' % output) | ||
46 | if provider and prov_id: | ||
47 | self.assertIn("ID: 0x0%d (%s provider)" % (prov_id, provider), | ||
48 | output, msg='%s provider is not configured.' % provider) | ||
49 | |||
50 | def run_cli_tests(self, prov_id=None): | ||
51 | """ Run Parsec CLI end-to-end tests against one or all providers """ | ||
52 | |||
53 | status, output = self.target.run('parsec-cli-tests.sh %s' % ("-%d" % prov_id if prov_id else "")) | ||
54 | self.assertEqual(status, 0, msg='Parsec CLI tests failed.\n %s' % output) | ||
55 | |||
10 | @OEHasPackage(['parsec-service']) | 56 | @OEHasPackage(['parsec-service']) |
11 | @OETestDepends(['ssh.SSHTest.test_ssh']) | 57 | @OETestDepends(['ssh.SSHTest.test_ssh']) |
12 | def test_parsec_service(self): | 58 | def test_all_providers(self): |
13 | toml_file = '/etc/parsec/config.tom' | 59 | """ Test Parsec service with all pre-defined providers """ |
14 | status, output = self.target.run('echo library_path = "/usr/lib/softhsm/libsofthsm2.so" >> %s' %(toml_file)) | 60 | |
15 | status, output = self.target.run('echo slot_number = 0 >> %s' %(toml_file)) | 61 | self.check_parsec_providers() |
16 | status, output = self.target.run('echo user_pin = "123456" >> %s' %(toml_file)) | 62 | self.run_cli_tests() |
63 | |||
64 | def configure_tpm_provider(self): | ||
65 | """ Create Parsec TPM provider configuration """ | ||
66 | |||
67 | cfg = [ | ||
68 | '', | ||
69 | '[[provider]]', | ||
70 | 'name = "tpm-provider"', | ||
71 | 'provider_type = "Tpm"', | ||
72 | 'key_info_manager = "sqlite-manager"', | ||
73 | 'tcti = "swtpm:port=2321"', | ||
74 | 'owner_hierarchy_auth = ""', | ||
75 | ] | ||
76 | self.copy_subconfig(cfg, "TPM") | ||
77 | |||
17 | cmds = [ | 78 | cmds = [ |
18 | '/etc/init.d/parsec stop', | ||
19 | 'sleep 5', | ||
20 | 'softhsm2-util --init-token --slot 0 --label "Parsec Service" --pin 123456 --so-pin 123456', | ||
21 | 'for d in /var/lib/softhsm/tokens/*; do chown -R parsec $d; done', | ||
22 | 'mkdir /tmp/myvtpm', | 79 | 'mkdir /tmp/myvtpm', |
23 | 'swtpm socket --tpmstate dir=/tmp/myvtpm --tpm2 --ctrl type=tcp,port=2322 --server type=tcp,port=2321 --flags not-need-init &', | 80 | 'swtpm socket -d --tpmstate dir=/tmp/myvtpm --tpm2 --ctrl type=tcp,port=2322 --server type=tcp,port=2321 --flags not-need-init', |
24 | 'export TPM2TOOLS_TCTI="swtpm:port=2321"', | 81 | 'tpm2_startup -c -T "swtpm:port=2321"', |
25 | 'tpm2_startup -c', | 82 | self.parsec_reload, |
26 | 'sleep 2', | ||
27 | '/etc/init.d/parsec start', | ||
28 | 'parsec-cli-tests.sh' | ||
29 | ] | 83 | ] |
30 | 84 | ||
31 | for cmd in cmds: | 85 | for cmd in cmds: |
32 | status, output = self.target.run(cmd) | 86 | status, output = self.target.run(cmd) |
33 | self.assertEqual(status, 0, msg='\n'.join([cmd, output])) | 87 | self.assertEqual(status, 0, msg='\n'.join([cmd, output])) |
88 | |||
89 | @OEHasPackage(['parsec-service']) | ||
90 | @OEHasPackage(['swtpm']) | ||
91 | @skipIfNotFeature('tpm2','Test parsec_tpm_provider requires tpm2 to be in DISTRO_FEATURES') | ||
92 | @OETestDepends(['ssh.SSHTest.test_ssh', 'parsec.ParsecTest.test_all_providers']) | ||
93 | def test_tpm_provider(self): | ||
94 | """ Configure and test Parsec TPM provider with swtpm as a backend """ | ||
95 | |||
96 | prov_id = 3 | ||
97 | self.configure_tpm_provider() | ||
98 | self.check_parsec_providers("TPM", prov_id) | ||
99 | self.run_cli_tests(prov_id) | ||
100 | |||
101 | def configure_pkcs11_provider(self): | ||
102 | """ Create Parsec PKCS11 provider configuration """ | ||
103 | |||
104 | status, output = self.target.run('softhsm2-util --init-token --free --label "Parsec Service" --pin 123456 --so-pin 123456') | ||
105 | self.assertEqual(status, 0, msg='Failed to init PKCS11 token.\n%s' % output) | ||
106 | |||
107 | slot = re.search('The token has been initialized and is reassigned to slot (\d*)', output) | ||
108 | if slot is None: | ||
109 | self.fail('Failed to get PKCS11 slot serial number.\n%s' % output) | ||
110 | self.assertNotEqual(slot.group(1), None, msg='Failed to get PKCS11 slot serial number.\n%s' % output) | ||
111 | |||
112 | cfg = [ | ||
113 | '', | ||
114 | '[[provider]]', | ||
115 | 'name = "pkcs11-provider"', | ||
116 | 'provider_type = "Pkcs11"', | ||
117 | 'key_info_manager = "sqlite-manager"', | ||
118 | 'library_path = "/usr/lib/softhsm/libsofthsm2.so"', | ||
119 | 'slot_number = %s' % slot.group(1), | ||
120 | 'user_pin = "123456"', | ||
121 | 'allow_export = true', | ||
122 | ] | ||
123 | self.copy_subconfig(cfg, "PKCS11") | ||
124 | |||
125 | status, output = self.target.run('for d in /var/lib/softhsm/tokens/*; do chown -R parsec $d; done') | ||
126 | status, output = self.target.run(self.parsec_reload) | ||
127 | self.assertEqual(status, 0, msg='Failed to reload Parsec.\n%s' % output) | ||
128 | |||
129 | @OEHasPackage(['parsec-service']) | ||
130 | @OEHasPackage(['softhsm']) | ||
131 | @OETestDepends(['ssh.SSHTest.test_ssh', 'parsec.ParsecTest.test_all_providers']) | ||
132 | def test_pkcs11_provider(self): | ||
133 | """ Configure and test Parsec PKCS11 provider with softhsm as a backend """ | ||
134 | |||
135 | prov_id = 2 | ||
136 | self.configure_pkcs11_provider() | ||
137 | self.check_parsec_providers("PKCS #11", prov_id) | ||
138 | self.run_cli_tests(prov_id) | ||
diff --git a/meta-parsec/recipes-core/images/security-parsec-image.bb b/meta-parsec/recipes-core/images/security-parsec-image.bb index 2ddc543..7add74b 100644 --- a/meta-parsec/recipes-core/images/security-parsec-image.bb +++ b/meta-parsec/recipes-core/images/security-parsec-image.bb | |||
@@ -1,4 +1,4 @@ | |||
1 | DESCRIPTION = "A small image for building meta-parsec packages" | 1 | DESCRIPTION = "A small image for testing Parsec service with MbedCrypto, TPM and PKCS11 providers" |
2 | 2 | ||
3 | inherit core-image | 3 | inherit core-image |
4 | 4 | ||
@@ -10,7 +10,8 @@ IMAGE_INSTALL = "\ | |||
10 | packagegroup-security-tpm2 \ | 10 | packagegroup-security-tpm2 \ |
11 | packagegroup-security-parsec \ | 11 | packagegroup-security-parsec \ |
12 | swtpm \ | 12 | swtpm \ |
13 | os-release" | 13 | softhsm \ |
14 | os-release" | ||
14 | 15 | ||
15 | export IMAGE_BASENAME = "security-parsec-image" | 16 | export IMAGE_BASENAME = "security-parsec-image" |
16 | 17 | ||
diff --git a/meta-parsec/recipes-core/packagegroups/packagegroup-security-parsec.bb b/meta-parsec/recipes-core/packagegroups/packagegroup-security-parsec.bb index b6c4f59..0af9c3d 100644 --- a/meta-parsec/recipes-core/packagegroups/packagegroup-security-parsec.bb +++ b/meta-parsec/recipes-core/packagegroups/packagegroup-security-parsec.bb | |||
@@ -11,7 +11,6 @@ PACKAGES = "\ | |||
11 | 11 | ||
12 | SUMMARY:packagegroup-security-parsec = "Security Parsec" | 12 | SUMMARY:packagegroup-security-parsec = "Security Parsec" |
13 | RDEPENDS:packagegroup-security-parsec = "\ | 13 | RDEPENDS:packagegroup-security-parsec = "\ |
14 | softhsm \ | ||
15 | parsec-tool \ | 14 | parsec-tool \ |
16 | parsec-service \ | 15 | parsec-service \ |
17 | " | 16 | " |
diff --git a/meta-tpm/classes/sanity-meta-tpm.bbclass b/meta-tpm/classes/sanity-meta-tpm.bbclass index 2f8b52d..1ab03c8 100644 --- a/meta-tpm/classes/sanity-meta-tpm.bbclass +++ b/meta-tpm/classes/sanity-meta-tpm.bbclass | |||
@@ -2,7 +2,9 @@ addhandler tpm_machinecheck | |||
2 | tpm_machinecheck[eventmask] = "bb.event.SanityCheck" | 2 | tpm_machinecheck[eventmask] = "bb.event.SanityCheck" |
3 | python tpm_machinecheck() { | 3 | python tpm_machinecheck() { |
4 | skip_check = e.data.getVar('SKIP_META_TPM_SANITY_CHECK') == "1" | 4 | skip_check = e.data.getVar('SKIP_META_TPM_SANITY_CHECK') == "1" |
5 | if 'tpm' not in e.data.getVar('DISTRO_FEATURES').split() and not skip_check: | 5 | if 'tpm' not in e.data.getVar('DISTRO_FEATURES').split() and \ |
6 | 'tpm2' not in e.data.getVar('DISTRO_FEATURES').split() and \ | ||
7 | not skip_check: | ||
6 | bb.warn("You have included the meta-tpm layer, but \ | 8 | bb.warn("You have included the meta-tpm layer, but \ |
7 | 'tpm or tpm2' has not been enabled in your DISTRO_FEATURES. Some bbappend files \ | 9 | 'tpm or tpm2' has not been enabled in your DISTRO_FEATURES. Some bbappend files \ |
8 | and preferred version setting may not take effect. See the meta-tpm README \ | 10 | and preferred version setting may not take effect. See the meta-tpm README \ |