[yocto] [meta-security][PATCH 8/8] swtpm-wrappers: simplify using swtpm-native
Patrick Ohly
patrick.ohly at intel.com
Mon Jan 30 23:48:07 PST 2017
Native tools exist in recipe specific sysroots and are normally
not meant to be called from outside a build. But that's what we
need to do when using swtpm-native together with qemu, so these
wrappers make that possible by setting up the necessary environment
and hiding the internal paths.
Invoking swtpm_setup.sh gets some special support: swtpm_setup.sh runs
two daemons, tcsd and swtpm, of which tcsd insists on running as root
or tss. In practice, running as the normal user is perfectly
fine. Instead of patching the upstream source code, the approach take
here is to run under pseudo.
Usage examples:
$ bitbake swtpm-wrappers
$ mkdir -p my-machine/myvtpm0
$ tmp-glibc/work/x86_64-linux/swtpm-wrappers/1.0-r0/swtpm_setup_oe.sh --tpm-state my-machine/myvtpm0
Starting vTPM manufacturing as root:root @ Mon 16 Jan 2017 04:09:21 PM CET
TPM is listening on TCP port 55675.
-rw------- 1 root root 65 Jan 16 16:09 /tmp/tmp.2yJBKTTwRk
Ending vTPM manufacturing @ Mon 16 Jan 2017 04:09:21 PM CET
The resulting "my-machine/myvtpm0" can then be used with swtpm (this time,
it really has to be running as root because it uses CUSES to create /dev/vtpm0)
and qemu-tpm (patches not currently in OE-core, have to be applied manually):
$ sudo env TPM_DIR=my-machine/myvtpm0 tmp-glibc/work/x86_64-linux/swtpm-wrappers/1.0-r0/swtpm_cuse_oe.sh -n vtpm0
$ sudo chmod a+rw /dev/vtpm0
$ runqemu ... 'qemuparams=-tpmdev cuse-tpm,id=tpm0,path=/dev/vtpm0 -device tpm-tis,tpmdev=tpm0'
Signed-off-by: Patrick Ohly <patrick.ohly at intel.com>
---
recipes-tpm/swtpm/swtpm-wrappers.bb | 41 ++++++++++++++++++++++++++++++-
1 file changed, 41 insertions(+)
create mode 100644 recipes-tpm/swtpm/swtpm-wrappers.bb
diff --git a/recipes-tpm/swtpm/swtpm-wrappers.bb b/recipes-tpm/swtpm/swtpm-wrappers.bb
new file mode 100644
index 0000000..676c35e
--- /dev/null
+++ b/recipes-tpm/swtpm/swtpm-wrappers.bb
@@ -0,0 +1,41 @@
+SUMMARY = "SWTPM - OpenEmbedded wrapper scripts for native swtpm tools"
+LICENSE = "MIT"
+DEPENDS = "swtpm-native tpm-tools-native"
+
+inherit native
+
+# The whole point of the recipe is to make files available
+# for use after the build is done, so don't clean up...
+RM_WORK_EXCLUDE += "${PN}"
+
+do_create_wrapper () {
+ cat >${WORKDIR}/swtpm_setup_oe.sh <<EOF
+#! /bin/sh
+#
+# Wrapper around swtpm_setup.sh which adds parameters required to
+# run the setup as non-root directly from the native sysroot.
+
+PATH="${bindir}:${base_bindir}:${sbindir}:${base_sbindir}:\$PATH"
+export PATH
+
+# tcsd only allows to be run as root or tss. Pretend to be root...
+exec env ${FAKEROOTENV} ${FAKEROOTCMD} swtpm_setup.sh --config ${STAGING_DIR_NATIVE}/etc/swtpm_setup.conf "\$@"
+EOF
+
+ cat >${WORKDIR}/swtpm_cuse_oe.sh <<EOF
+#! /bin/sh
+#
+# Wrapper around swtpm_cuse which makes it easier to invoke
+# the right binary. Has to be run as root with TPM_PATH set
+# to a directory initialized as virtual TPM by swtpm_setup_oe.sh.
+
+PATH="${bindir}:${base_bindir}:${sbindir}:${base_sbindir}:\$PATH"
+export PATH
+
+exec swtpm_cuse "\$@"
+EOF
+
+ chmod a+rx ${WORKDIR}/*.sh
+}
+
+addtask do_create_wrapper before do_build after do_prepare_recipe_sysroot
--
git-series 0.9.1
More information about the yocto
mailing list