Re: [PULL 10/17] tests/functional: Convert most Aspeed machine tests

[Stefan Berger]

On 11/5/24 11:14 AM, Peter Maydell wrote:
> On Thu, 24 Oct 2024 at 07:39, Cédric Le Goater <clg@redhat.com> wrote:
> > This is a simple conversion of the tests with some cleanups and
> > adjustments to match the new test framework. Replace the zephyr image
> > MD5 hashes with SHA256 hashes while at it.
>
> (ccing Stefan Berger for possible insight into swtpm)
>
> Hi; I find that this swtpm-using test fails for me on my
> local system due to an apparmor/swtpm problem...
>
> > +    @skipUnless(*has_cmd('swtpm'))
> > +    def test_arm_ast2600_evb_buildroot_tpm(self):
> > +        self.set_machine('ast2600-evb')
> > +
> > +        image_path = self.ASSET_BR2_202302_AST2600_TPM_FLASH.fetch()
> > +
> > +        socket_dir = tempfile.TemporaryDirectory(prefix="qemu_")
> > +        socket = os.path.join(socket_dir.name, 'swtpm-socket')
> > +
> > +        subprocess.run(['swtpm', 'socket', '-d', '--tpm2',
> > +                        '--tpmstate', f'dir={self.vm.temp_dir}',
> > +                        '--ctrl', f'type=unixio,path={socket}'])
> > +
> > +        self.vm.add_args('-chardev', f'socket,id=chrtpm,path={socket}')
> > +        self.vm.add_args('-tpmdev', 'emulator,id=tpm0,chardev=chrtpm')
> > +        self.vm.add_args('-device',
> > +                         
> > 'tpm-tis-i2c,tpmdev=tpm0,bus=aspeed.i2c.bus.12,address=0x2e')
> > +        self.do_test_arm_aspeed_buildroot_start(image_path, '0xf00', 'Aspeed 
> > AST2600 EVB')
> > +
> > +        exec_command_and_wait_for_pattern(self,
> > +            'echo tpm_tis_i2c 0x2e > /sys/bus/i2c/devices/i2c-12/new_device',
> > +            'tpm_tis_i2c 12-002e: 2.0 TPM (device-id 0x1, rev-id 1)');
> > +        exec_command_and_wait_for_pattern(self,
> > +            'cat /sys/class/tpm/tpm0/pcr-sha256/0',
> > +            
> > 'B804724EA13F52A9072BA87FE8FDCC497DFC9DF9AA15B9088694639C431688E0');
> > +
> > +        self.do_test_arm_aspeed_buildroot_poweroff()
>
> The test fails like this:
>
> qemu-system-arm: tpm-emulator: TPM result for CMD_INIT: 0x9 operation failed
>
> Adding extra logging to swtpm (--log file=/tmp/swtpm.log,level=20)
> reveals:
>
> SWTPM_NVRAM_Lock_Lockfile: Could not open lockfile: Permission denied
> Error: Could not initialize libtpms.
> Error: Could not initialize the TPM
>
> Checking the system logs, this is because apparmor has denied it:
>
> Nov  5 16:01:14 e104462 kernel: [946406.489088] audit: type=1400
> audit(1730822474.384:446): apparmor="DENIED" operation="mknod"
> profile="swtpm"
> name="/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/tests/functional/arm/test_arm_aspeed.AST2x00Machine.test_arm_ast2600_evb_buildroot_tpm/qemu-machine-hhuvwytc/.lock"
> pid=2820156 comm="swtpm" requested_mask="c" denied_mask="c" fsuid=1000
> ouid=1000
>
>
>
> Q1: why is apparmor forbidding swtpm from doing something that
> it needs to do to work?

What distro and version is this?

The profile may be too strict and not reflecting all the paths needed 
for running the test cases. Ubuntu for example would have to update 
their profile in such a case.

> Q2: is there a way to run swtpm such that it is not
> confined by apparmor, for purposes of running it in a test case?

Try either one:
- sudo aa-complain /usr/bin/swtpm
- sudo aa-disable /usr/bin/swtpm

> Q3: if not, is there a way to at least detect that swtpm is
> broken on this system so we can skip the test case?

It's not swtpm that is broken but the AppArmor profile is too strict. 
Above command lines should work.

> (I note that there is a thing in the apparmor config
> "owner @{HOME}/** rwk" which I think means you only run into
> this if you happen to be building/testing QEMU somewhere other
> than your own home directory -- but that's hardly an
> unreasonable configuration...)
>
> thanks
> -- PMM