diff options
| author | Anton Antonov <Anton.Antonov@arm.com> | 2022-08-23 18:11:38 +0100 | 
|---|---|---|
| committer | Armin Kuster <akuster808@gmail.com> | 2022-08-25 08:17:39 -0400 | 
| commit | 2753e73086c86f1065f7dace959c38d1d89fd9c5 (patch) | |
| tree | ee602f0aa649d5816d852a4019da13f60ebc1a7c | |
| parent | 64b64696a9deef8a6bdeacab8137b6305c4750b7 (diff) | |
| download | meta-security-2753e73086c86f1065f7dace959c38d1d89fd9c5.tar.gz | |
parsec-service: Update oeqa tests
Signed-off-by: Anton Antonov <Anton.Antonov@arm.com>
| -rw-r--r-- | meta-parsec/README.md | 3 | ||||
| -rw-r--r-- | meta-parsec/lib/oeqa/runtime/cases/parsec.py | 100 | ||||
| -rw-r--r-- | meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb | 5 | 
3 files changed, 92 insertions, 16 deletions
| diff --git a/meta-parsec/README.md b/meta-parsec/README.md index f720cd2..99935bc 100644 --- a/meta-parsec/README.md +++ b/meta-parsec/README.md | |||
| @@ -99,6 +99,7 @@ The tests are run against: | |||
| 99 | - all providers pre-configured in the Parsec config file included in the image. | 99 | - all providers pre-configured in the Parsec config file included in the image. | 
| 100 | - PKCS11 and TPM providers with software backends if softhsm and | 100 | - PKCS11 and TPM providers with software backends if softhsm and | 
| 101 | swtpm packages included in the image. | 101 | swtpm packages included in the image. | 
| 102 | - TS Provider if Parsec is built with it included. | ||
| 102 | 103 | ||
| 103 | Meta-parsec also contains a recipe for `security-parsec-image` image with Parsec, | 104 | Meta-parsec also contains a recipe for `security-parsec-image` image with Parsec, | 
| 104 | softhsm and swtpm included. | 105 | softhsm and swtpm included. | 
| @@ -214,7 +215,7 @@ systemctl start parsec | |||
| 214 | The IBM Software TPM service can be used for manual testing of the provider by | 215 | The IBM Software TPM service can be used for manual testing of the provider by | 
| 215 | including it into your test image: | 216 | including it into your test image: | 
| 216 | 217 | ||
| 217 | IMAGE_INSTALL:append = " ibmswtpm2 tpm2-tools libtss2 libtss2-tcti-mssim" | 218 | IMAGE_INSTALL:append = " swtpm tpm2-tools libtss2 libtss2-tcti-mssim" | 
| 218 | 219 | ||
| 219 | Inside the running VM: | 220 | Inside the running VM: | 
| 220 | - Stop Parsec | 221 | - Stop Parsec | 
| diff --git a/meta-parsec/lib/oeqa/runtime/cases/parsec.py b/meta-parsec/lib/oeqa/runtime/cases/parsec.py index 11e5572..6be84ba 100644 --- a/meta-parsec/lib/oeqa/runtime/cases/parsec.py +++ b/meta-parsec/lib/oeqa/runtime/cases/parsec.py | |||
| @@ -12,12 +12,8 @@ from oeqa.core.decorator.data import skipIfNotFeature | |||
| 12 | class ParsecTest(OERuntimeTestCase): | 12 | class ParsecTest(OERuntimeTestCase): | 
| 13 | @classmethod | 13 | @classmethod | 
| 14 | def setUpClass(cls): | 14 | def setUpClass(cls): | 
| 15 | cls.tc.target.run('swtpm_ioctl -s --tcp :2322') | ||
| 16 | cls.toml_file = '/etc/parsec/config.toml' | 15 | cls.toml_file = '/etc/parsec/config.toml' | 
| 17 | 16 | cls.tc.target.run('cp -p %s %s-original' % (cls.toml_file, cls.toml_file)) | |
| 18 | @classmethod | ||
| 19 | def tearDownClass(cls): | ||
| 20 | cls.tc.target.run('swtpm_ioctl -s --tcp :2322') | ||
| 21 | 17 | ||
| 22 | def setUp(self): | 18 | def setUp(self): | 
| 23 | super(ParsecTest, self).setUp() | 19 | super(ParsecTest, self).setUp() | 
| @@ -40,6 +36,11 @@ class ParsecTest(OERuntimeTestCase): | |||
| 40 | status, output = self.target.run('cat %s-%s >>%s' % (self.toml_file, provider, self.toml_file)) | 36 | status, output = self.target.run('cat %s-%s >>%s' % (self.toml_file, provider, self.toml_file)) | 
| 41 | os.remove(tmp_path) | 37 | os.remove(tmp_path) | 
| 42 | 38 | ||
| 39 | def restore_parsec_config(self): | ||
| 40 | """ Restore original Parsec config """ | ||
| 41 | self.target.run('cp -p %s-original %s' % (self.toml_file, self.toml_file)) | ||
| 42 | self.target.run(self.parsec_reload) | ||
| 43 | |||
| 43 | def check_parsec_providers(self, provider=None, prov_id=None): | 44 | def check_parsec_providers(self, provider=None, prov_id=None): | 
| 44 | """ Get Parsec providers list and check for one if defined """ | 45 | """ Get Parsec providers list and check for one if defined """ | 
| 45 | 46 | ||
| @@ -58,6 +59,23 @@ class ParsecTest(OERuntimeTestCase): | |||
| 58 | status, output = self.target.run('parsec-cli-tests.sh %s' % ("-%d" % prov_id if prov_id else "")) | 59 | status, output = self.target.run('parsec-cli-tests.sh %s' % ("-%d" % prov_id if prov_id else "")) | 
| 59 | self.assertEqual(status, 0, msg='Parsec CLI tests failed.\n %s' % output) | 60 | self.assertEqual(status, 0, msg='Parsec CLI tests failed.\n %s' % output) | 
| 60 | 61 | ||
| 62 | def check_packageconfig(self, prov): | ||
| 63 | """ Check that the require provider is included in Parsec """ | ||
| 64 | if prov not in self.tc.td['PACKAGECONFIG:pn-parsec-service']: | ||
| 65 | self.skipTest('%s provider is not included in Parsec. Parsec PACKAGECONFIG: "%s"' % \ | ||
| 66 | (prov, self.tc.td['PACKAGECONFIG:pn-parsec-service'])) | ||
| 67 | |||
| 68 | def check_packages(self, prov, packages): | ||
| 69 | """ Check for the required packages for Parsec providers software backends """ | ||
| 70 | if isinstance(packages, str): | ||
| 71 | need_pkgs = set([packages,]) | ||
| 72 | else: | ||
| 73 | need_pkgs = set(packages) | ||
| 74 | |||
| 75 | if not self.tc.image_packages.issuperset(need_pkgs): | ||
| 76 | self.skipTest('%s provider is not configured and packages "%s" are not included into the image' % \ | ||
| 77 | (prov, need_pkgs)) | ||
| 78 | |||
| 61 | @OEHasPackage(['parsec-service']) | 79 | @OEHasPackage(['parsec-service']) | 
| 62 | @OETestDepends(['ssh.SSHTest.test_ssh']) | 80 | @OETestDepends(['ssh.SSHTest.test_ssh']) | 
| 63 | def test_all_providers(self): | 81 | def test_all_providers(self): | 
| @@ -84,7 +102,9 @@ class ParsecTest(OERuntimeTestCase): | |||
| 84 | 'mkdir /tmp/myvtpm', | 102 | 'mkdir /tmp/myvtpm', | 
| 85 | 'swtpm socket -d --tpmstate dir=/tmp/myvtpm --tpm2 --ctrl type=tcp,port=2322 --server type=tcp,port=2321 --flags not-need-init', | 103 | 'swtpm socket -d --tpmstate dir=/tmp/myvtpm --tpm2 --ctrl type=tcp,port=2322 --server type=tcp,port=2321 --flags not-need-init', | 
| 86 | 'tpm2_startup -c -T "swtpm:port=2321"', | 104 | 'tpm2_startup -c -T "swtpm:port=2321"', | 
| 105 | 'chown -R parsec /tmp/myvtpm', | ||
| 87 | self.parsec_reload, | 106 | self.parsec_reload, | 
| 107 | 'sleep 5', | ||
| 88 | ] | 108 | ] | 
| 89 | 109 | ||
| 90 | for cmd in cmds: | 110 | for cmd in cmds: | 
| @@ -92,16 +112,30 @@ class ParsecTest(OERuntimeTestCase): | |||
| 92 | self.assertEqual(status, 0, msg='\n'.join([cmd, output])) | 112 | self.assertEqual(status, 0, msg='\n'.join([cmd, output])) | 
| 93 | 113 | ||
| 94 | @OEHasPackage(['parsec-service']) | 114 | @OEHasPackage(['parsec-service']) | 
| 95 | @OEHasPackage(['swtpm']) | ||
| 96 | @skipIfNotFeature('tpm2','Test parsec_tpm_provider requires tpm2 to be in DISTRO_FEATURES') | 115 | @skipIfNotFeature('tpm2','Test parsec_tpm_provider requires tpm2 to be in DISTRO_FEATURES') | 
| 97 | @OETestDepends(['ssh.SSHTest.test_ssh', 'parsec.ParsecTest.test_all_providers']) | 116 | @OETestDepends(['ssh.SSHTest.test_ssh']) | 
| 98 | def test_tpm_provider(self): | 117 | def test_tpm_provider(self): | 
| 99 | """ Configure and test Parsec TPM provider with swtpm as a backend """ | 118 | """ Configure and test Parsec TPM provider with swtpm as a backend """ | 
| 100 | 119 | ||
| 120 | self.check_packageconfig("TPM") | ||
| 121 | |||
| 122 | reconfigure = False | ||
| 101 | prov_id = 3 | 123 | prov_id = 3 | 
| 102 | self.configure_tpm_provider() | 124 | try: | 
| 103 | self.check_parsec_providers("TPM", prov_id) | 125 | # Chech if the provider is already configured | 
| 126 | self.check_parsec_providers("TPM", prov_id) | ||
| 127 | except: | ||
| 128 | # Try to test the provider with a software backend | ||
| 129 | self.check_packages("TPM", ['swtpm', 'tpm2-tools']) | ||
| 130 | reconfigure = True | ||
| 131 | self.configure_tpm_provider() | ||
| 132 | self.check_parsec_providers("TPM", prov_id) | ||
| 133 | |||
| 104 | self.run_cli_tests(prov_id) | 134 | self.run_cli_tests(prov_id) | 
| 135 | self.restore_parsec_config() | ||
| 136 | |||
| 137 | if reconfigure: | ||
| 138 | self.target.run('swtpm_ioctl -s --tcp :2322') | ||
| 105 | 139 | ||
| 106 | def configure_pkcs11_provider(self): | 140 | def configure_pkcs11_provider(self): | 
| 107 | """ Create Parsec PKCS11 provider configuration """ | 141 | """ Create Parsec PKCS11 provider configuration """ | 
| @@ -132,12 +166,52 @@ class ParsecTest(OERuntimeTestCase): | |||
| 132 | self.assertEqual(status, 0, msg='Failed to reload Parsec.\n%s' % output) | 166 | self.assertEqual(status, 0, msg='Failed to reload Parsec.\n%s' % output) | 
| 133 | 167 | ||
| 134 | @OEHasPackage(['parsec-service']) | 168 | @OEHasPackage(['parsec-service']) | 
| 135 | @OEHasPackage(['softhsm']) | 169 | @OETestDepends(['ssh.SSHTest.test_ssh']) | 
| 136 | @OETestDepends(['ssh.SSHTest.test_ssh', 'parsec.ParsecTest.test_all_providers']) | ||
| 137 | def test_pkcs11_provider(self): | 170 | def test_pkcs11_provider(self): | 
| 138 | """ Configure and test Parsec PKCS11 provider with softhsm as a backend """ | 171 | """ Configure and test Parsec PKCS11 provider with softhsm as a backend """ | 
| 139 | 172 | ||
| 173 | self.check_packageconfig("PKCS11") | ||
| 140 | prov_id = 2 | 174 | prov_id = 2 | 
| 141 | self.configure_pkcs11_provider() | 175 | try: | 
| 142 | self.check_parsec_providers("PKCS #11", prov_id) | 176 | # Chech if the provider is already configured | 
| 177 | self.check_parsec_providers("PKCS #11", prov_id) | ||
| 178 | except: | ||
| 179 | # Try to test the provider with a software backend | ||
| 180 | self.check_packages("PKCS11", 'softhsm') | ||
| 181 | self.configure_pkcs11_provider() | ||
| 182 | self.check_parsec_providers("PKCS #11", prov_id) | ||
| 183 | |||
| 184 | self.run_cli_tests(prov_id) | ||
| 185 | self.restore_parsec_config() | ||
| 186 | |||
| 187 | def configure_TS_provider(self): | ||
| 188 | """ Create Trusted Services provider configuration """ | ||
| 189 | |||
| 190 | cfg = [ | ||
| 191 | '', | ||
| 192 | '[[provider]]', | ||
| 193 | 'name = "trusted-service-provider"', | ||
| 194 | 'provider_type = "TrustedService"', | ||
| 195 | 'key_info_manager = "sqlite-manager"', | ||
| 196 | ] | ||
| 197 | self.copy_subconfig(cfg, "TS") | ||
| 198 | |||
| 199 | status, output = self.target.run(self.parsec_reload) | ||
| 200 | self.assertEqual(status, 0, msg='Failed to reload Parsec.\n%s' % output) | ||
| 201 | |||
| 202 | @OEHasPackage(['parsec-service']) | ||
| 203 | @OETestDepends(['ssh.SSHTest.test_ssh']) | ||
| 204 | def test_TS_provider(self): | ||
| 205 | """ Configure and test Parsec PKCS11 provider with softhsm as a backend """ | ||
| 206 | |||
| 207 | self.check_packageconfig("TS") | ||
| 208 | prov_id = 4 | ||
| 209 | try: | ||
| 210 | # Chech if the provider is already configured | ||
| 211 | self.check_parsec_providers("Trusted Service", prov_id) | ||
| 212 | except: | ||
| 213 | self.configure_TS_provider() | ||
| 214 | self.check_parsec_providers("Trusted Service", prov_id) | ||
| 215 | |||
| 143 | self.run_cli_tests(prov_id) | 216 | self.run_cli_tests(prov_id) | 
| 217 | self.restore_parsec_config() | ||
| diff --git a/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb b/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb index 2a25178..931abee 100644 --- a/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb +++ b/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb | |||
| @@ -69,9 +69,10 @@ do_install () { | |||
| 69 | 69 | ||
| 70 | inherit useradd | 70 | inherit useradd | 
| 71 | USERADD_PACKAGES = "${PN}" | 71 | USERADD_PACKAGES = "${PN}" | 
| 72 | USERADD_PARAM:${PN} = "-r -g parsec -s /bin/false -d ${localstatedir}/lib/parsec parsec" | ||
| 73 | GROUPADD_PARAM:${PN} = "-r parsec" | 72 | GROUPADD_PARAM:${PN} = "-r parsec" | 
| 74 | GROUPMEMS_PARAM:${PN} = "${@bb.utils.contains('PACKAGECONFIG_CONFARGS', 'tpm-provider', '-a parsec -g tss', '', d)}" | 73 | USERADD_PARAM:${PN} = "-r -g parsec -s /bin/false -d ${localstatedir}/lib/parsec parsec" | 
| 74 | GROUPMEMS_PARAM:${PN} = "${@bb.utils.contains('PACKAGECONFIG_CONFARGS', 'tpm-provider', '-a parsec -g tss ;', '', d)}" | ||
| 75 | GROUPMEMS_PARAM:${PN} += "${@bb.utils.contains('PACKAGECONFIG_CONFARGS', 'trusted-service-provider', '-a parsec -g teeclnt', '', d)}" | ||
| 75 | 76 | ||
| 76 | FILES:${PN} += " \ | 77 | FILES:${PN} += " \ | 
| 77 | ${sysconfdir}/parsec/config.toml \ | 78 | ${sysconfdir}/parsec/config.toml \ | 
