Re: [PULL 10/17] tests/functional: Convert most Aspeed machine tests

[Peter Maydell]

On Thu, 24 Oct 2024 at 07:39, Cédric Le Goater <clg@redhat.com> wrote:
>
> This is a simple conversion of the tests with some cleanups and
> adjustments to match the new test framework. Replace the zephyr image
> MD5 hashes with SHA256 hashes while at it.

(ccing Stefan Berger for possible insight into swtpm)

Hi; I find that this swtpm-using test fails for me on my
local system due to an apparmor/swtpm problem...

> +    @skipUnless(*has_cmd('swtpm'))
> +    def test_arm_ast2600_evb_buildroot_tpm(self):
> +        self.set_machine('ast2600-evb')
> +
> +        image_path = self.ASSET_BR2_202302_AST2600_TPM_FLASH.fetch()
> +
> +        socket_dir = tempfile.TemporaryDirectory(prefix="qemu_")
> +        socket = os.path.join(socket_dir.name, 'swtpm-socket')
> +
> +        subprocess.run(['swtpm', 'socket', '-d', '--tpm2',
> +                        '--tpmstate', f'dir={self.vm.temp_dir}',
> +                        '--ctrl', f'type=unixio,path={socket}'])
> +
> +        self.vm.add_args('-chardev', f'socket,id=chrtpm,path={socket}')
> +        self.vm.add_args('-tpmdev', 'emulator,id=tpm0,chardev=chrtpm')
> +        self.vm.add_args('-device',
> +                         
> 'tpm-tis-i2c,tpmdev=tpm0,bus=aspeed.i2c.bus.12,address=0x2e')
> +        self.do_test_arm_aspeed_buildroot_start(image_path, '0xf00', 'Aspeed 
> AST2600 EVB')
> +
> +        exec_command_and_wait_for_pattern(self,
> +            'echo tpm_tis_i2c 0x2e > /sys/bus/i2c/devices/i2c-12/new_device',
> +            'tpm_tis_i2c 12-002e: 2.0 TPM (device-id 0x1, rev-id 1)');
> +        exec_command_and_wait_for_pattern(self,
> +            'cat /sys/class/tpm/tpm0/pcr-sha256/0',
> +            
> 'B804724EA13F52A9072BA87FE8FDCC497DFC9DF9AA15B9088694639C431688E0');
> +
> +        self.do_test_arm_aspeed_buildroot_poweroff()

The test fails like this:

qemu-system-arm: tpm-emulator: TPM result for CMD_INIT: 0x9 operation failed

Adding extra logging to swtpm (--log file=/tmp/swtpm.log,level=20)
reveals:

SWTPM_NVRAM_Lock_Lockfile: Could not open lockfile: Permission denied
Error: Could not initialize libtpms.
Error: Could not initialize the TPM

Checking the system logs, this is because apparmor has denied it:

Nov  5 16:01:14 e104462 kernel: [946406.489088] audit: type=1400
audit(1730822474.384:446): apparmor="DENIED" operation="mknod"
profile="swtpm"
name="/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/tests/functional/arm/test_arm_aspeed.AST2x00Machine.test_arm_ast2600_evb_buildroot_tpm/qemu-machine-hhuvwytc/.lock"
pid=2820156 comm="swtpm" requested_mask="c" denied_mask="c" fsuid=1000
ouid=1000



Q1: why is apparmor forbidding swtpm from doing something that
it needs to do to work?

Q2: is there a way to run swtpm such that it is not
confined by apparmor, for purposes of running it in a test case?

Q3: if not, is there a way to at least detect that swtpm is
broken on this system so we can skip the test case?

(I note that there is a thing in the apparmor config
"owner @{HOME}/** rwk" which I think means you only run into
this if you happen to be building/testing QEMU somewhere other
than your own home directory -- but that's hardly an
unreasonable configuration...)

thanks
-- PMM