I packed swtpm for the #QEMU build so it does not have to be installed to the system:

https://github.com/jarkkojs/tpmdd-buildroot-external

start-qemu.sh will automatically setup shenanigans so that swtpm will work as TPM emulation host for QEMU.

After build there’s three options:

1. TPM2 TIS/FIFO: output/build/images/start-qemu.sh
2. TPM2 TIS/CRB: output/build/images/start-qemu.sh --tpm-crb
3. TPM1 TIS/FIFO: output/build/images/start-qemu.sh --tpm1

Right, and neither QEMU needs to be installed to the host. I’m trying to sort of construct this in a way that it would become as CI friendly as possible so that this could be in addition used as a CI workload for keyutils.

#BuildRoot #linux #kernel #tpm

GIF-animation was generated with asciinema and agg.

@jarkko how about submitting that swtpm package upstream? ;)

@peterkorsgaard Yes, eventually! I'll just let it mature a bit in here before doing that :-)

@jarkko great! FYI you have select BR2_PACKAGE_LIBTPMS in the host-swtpm package which sounds wrong (a host tool is unlikely to require a target library)

@peterkorsgaard thanks, will fix :-)

@peterkorsgaard When upstreaming I’ll also probably want to update start-qemu.sh.in to use getopt for the sake of having easy to comprehend --tpm-version=<1,2> --tpm-device <tis,crb> parameters (when swtpm is enabled for host)

@peterkorsgaard Or actually they could be there also when swtpm is installed as a system package (via command -v swtpm check).

@peterkorsgaard Benefit of all this is sort of niche but still important: most of the testing of kernel patches in linux-integrity could be then with the upstream BuildRoot’s QEMU and UEFI targets, only changing option or few in the config and sometimes using LINUX_OVERRIDE_SRCDIR for in-development stuff.

@peterkorsgaard I did send it, did not address this issue tho :-( I remembered this thread after sending it unfortunately. Can you remark this and other possible issues? I'm not that experienced with BuildRoot contributions (if I recall correctly I've only contributed quota in the past, and that is like decade ago or over). Added RFC tag for the reason that I don't exactly know what I'm doing.

@jarkko yes, I saw the mails but have been quite busy. I will try to find time to review this weekend

@peterkorsgaard can hold over weekend np i just thought that it would be good put it to the loop, so downshifting with this is totally fine! At least I don't want you to waste your weekend on this :-)