Menu
▾
▴
Git Merge Request #2: Install tests and make them usable from swtpm (open)
Merging...
Merged
Something went wrong. Please, merge manually
Checking if merge is possible...
Something went wrong. Please, merge manually
elmarco wants to merge 12 commits from /p/elmarco/ibmtpm20tss/ to master, 2025-06-11
This series provides installation of the TPM 2.0 tests and usability from swtpm.
Right now, swtpm tests are run at package build time, and distros can't easily vendor extra software. Instead, we want swtpm tests to run an already installed version of the tests, and permit users/testers to run tests later from an installed system.
Thanks
| Commit | Date | |
|---|---|---|
| 2024-07-10 16:52:02 | Tree | |
|
[e8aa9a]
by
utils: lookup policies under $POLICIESDIR Signed-off-by: Marc-André Lureau <marcandre.lureau@...> |
2024-07-10 16:43:22 | Tree |
|
[d22339]
by
utils/reg.sh: add --without-events Signed-off-by: Marc-André Lureau <marcandre.lureau@...> |
2024-07-10 13:04:18 | Tree |
|
[e94116]
by
utils/reg.sh: add --rev NO argument, skip tests requiring > NO Signed-off-by: Marc-André Lureau <marcandre.lureau@...> |
2024-07-10 13:04:18 | Tree |
|
[080ca5]
by
utils/reg.sh: add --without-nuvoton Signed-off-by: Marc-André Lureau <marcandre.lureau@...> |
2024-07-10 12:40:39 | Tree |
|
[931b1a]
by
utils/reg.sh: add --without-ecc Signed-off-by: Marc-André Lureau <marcandre.lureau@...> |
2024-07-10 12:29:53 | Tree |
|
[b47c50]
by
utils/reg.sh: skip rootcerts checks if /home/kgold missing Signed-off-by: Marc-André Lureau <marcandre.lureau@...> |
2024-07-10 12:11:47 | Tree |
|
[f1fbf2]
by
utils: add reg.sh -s/--swtpm option Teach reg.sh to run against a swtpm server. Signed-off-by: Marc-André Lureau <marcandre.lureau@...> |
2024-07-10 11:12:43 | Tree |
|
[2a54d8]
by
utils: replace run.out by temporary $RUN_OUT Signed-off-by: Marc-André Lureau <marcandre.lureau@...> |
2024-07-09 19:49:53 | Tree |
|
[a1d4eb]
by
utils/reg.sh: prefix tests relative to reg.sh location Signed-off-by: Marc-André Lureau <marcandre.lureau@...> |
2024-07-09 15:32:32 | Tree |
|
[4bac40]
by
utils/reg.sh: ./ PREFIX for tarball check Otherwise assume we are running with tss PREFIX. Signed-off-by: Marc-André Lureau <marcandre.lureau@...> |
2024-07-09 15:22:29 | Tree |
|
[c171ab]
by
Install utils/ regressions tests Signed-off-by: Marc-André Lureau <marcandre.lureau@...> |
2024-07-08 15:50:53 | Tree |
The code has no comments, and there are no patch descriptions for the patches. Since the autotools code was contributed, I cannot accept changes unless they are clear.
The regression tests can already be run before or after installation, so the purpose of the patches is unclear. "distros can't easily vendor extra software" is unclear. What extra software, and what vendor?
utils/reg.sh: skip rootcerts checks if /home/kgold missing looks odd. Why would the /home/kgold directory be hard coded.
@kagoldman I missed your reply.. sourceforge isn't very good at notifying me by mail it seems. Perhaps @me is necessary.
Sure, I can document better what the patches do. They are quite simple and self-explanatory in general.
The whole purpose is to run the TSS & swtpm tests not within the project source tree, but when installed. Tests can then be packaged and run more easily by users.
"distros can't easily vendor extra software": swtpm currently fetch the sources of ibmtss, and patches it during build check time. This is not allowed by distributions build system. In general, distributions don't accept "vendoring" extra external software: swtpm can't ship its own "bundled" version of TSS. So the swtpm test coverage under distributions is currently lacking the TSS test suite. This series allows to package TSS tests and then run the swtpm tests that depend on it, during build time in distro.
"utils/reg.sh: skip rootcerts checks if /home/kgold missing looks odd"
utils/certificates/rootcerts.txt references files from this path. Yes, it should probably be fixed, but I was hoping you would know better!
The regression test can run after installation. Is there a bug that prevents this for you?
What do you mean by 'swtpm currently fetch the sources of ibmtss'. swtpm is a separate project.
' swtpm test coverage under distributions is currently lacking the TSS test suite.' - The documentation explains why the TSS test suite is not a TPM test suite.
'and then run the swtpm tests' What are these swtpm tests? The TCG maintains a TPM test suite, entirely separate from any TSS.
I still do not understand what bug is being fixed or what feature is being added.
The goal is to run the tests from installation. Currently, the tests are not installed. This is what this series achieves: install tests and make them usable from swtpm test suite.
'swtpm currently fetch the sources of ibmtss': it literally fetches and compile the source from git: https://github.com/stefanberger/swtpm/blob/master/tests/test_tpm2_ibmtss2#L54 this is not allowed by distributions builder.
What does 'from installation mean'? What are 'the tests'? Do you mean the TSS regression test scripts? Are you trying to test the TPM using the TSS regression tests? Or testing the TSS using the TPM?
In the past, the distros did not want the regression tests installed. Or the sample policies and certificates. Has something changed? Is installing the certificates a security hole? Where are you proposing to install them?
The code has no comments. The autotools code is fragile, and I don't want to break it. The changes have to be very clear - both the use case and the implementation.
swtpm runs the TSS regression tests against its emulator. They are the tests we need to have installed as done by this series.
Tests shouldn't need to modify or install system certificates. Currently they don't run anyway since they need "/home/kgold/tss2/utils/certificates/". See also "utils/reg.sh: skip rootcerts checks if /home/kgold missing" patch.
The use case is clear: allow distributions to run TSS regression tests against swtpm.
And you shouldn't worry about distribution policies, about what can be installed and where. This is per-distribution rule and packaging role. But in general, what is done in Fedora/RHEL/CentOS and Debian is the norm. I intend to ship those changes in Fedora/RHEL/CentOS.
What SW TPM runs the TSS regression tests? I don't know of any, and I don't know why a TPM would do this.
If a TSS wants to run its tests against a SW TPM, it can do so. I don't know what this patch is doing.
I also worry about applying a patch that has no comments and which I don't understand. This is security software - I am cautious.
Since swtpm v0.10, it can run against the installed imbtpm20tss regression tests (see https://github.com/stefanberger/swtpm/commit/603396664f830c273581d3b364ed7139b8293639)
I updated the patch series to add more comments. Let me know if something is unclear or could be improved. thanks
@kagoldman do you have further questions? thanks
Hi @kagoldman , can I do something to make progress? thanks
Hi @kagoldman, happy new year! can you check this series again? thanks
I'm still blocked at the same questions.
How will the TSS be different after this patch set? What does it do.
Is this trying to run the TSS regression test against a TPM? To test the TSS? To test the TPM? Is it creating dependencies?
If you're trying to test a TPM install, the TSS regression test coverage is incomplete. TCG has a more complete test suite available to TCG members.
It installs the regressions tests on the system.
The tests don't run by themself, they need to be run by the user (or some automated tool).
swtpm is tested against different test suites: This project test suite is one of them.
We want to make those tests available from the system, to not have to download and patch ibmtss during testing.
thanks again
@kagoldman hi, could you take a look at this MR again? considering elmarco's latest answers. Thanks!