search

stefanberger / swtpm

Libtpms-based TPM emulator with socket, character device, and Linux CUSE interface.
Other
577 stars 143 forks source link

Build issues seen on Alpine linux aarch64 #687

Closed ayankuma closed 2 years ago

ayankuma commented 2 years ago

Greetings from a newbie.

I am trying with v0.7.2 swtpm. I see the following issues :-

/Users/ayankuma/alpine_vm/swtpm # ./autogen.sh --prefix=/Users/ayankuma/alpine_vm/ --libdir=/Users/ayankuma/alpine_vm/lib --with-openssl --with-tss-user=root --with-tss-group=root
autoreconf: export WARNINGS=
autoreconf: Entering directory '.'
autoreconf: configure.ac: not using Gettext
autoreconf: running: aclocal --force -I m4
autoreconf: configure.ac: tracing
autoreconf: configure.ac: not using Libtool
autoreconf: configure.ac: not using Intltool
autoreconf: configure.ac: not using Gtkdoc
autoreconf: running: /usr/bin/autoconf --force
autoreconf: running: /usr/bin/autoheader --force
autoreconf: running: automake --add-missing --copy --force-missing
src/swtpm/Makefile.am:37: error: Libtool library used but 'LIBTOOL' is undefined
src/swtpm/Makefile.am:37:   The usual way to define 'LIBTOOL' is to add 'LT_INIT'
src/swtpm/Makefile.am:37:   to 'configure.ac' and run 'aclocal' and 'autoconf' again.
src/swtpm/Makefile.am:37:   If 'LT_INIT' is in 'configure.ac', make sure
src/swtpm/Makefile.am:37:   its definition is in aclocal's search path.
src/utils/Makefile.am:13: error: Libtool library used but 'LIBTOOL' is undefined
src/utils/Makefile.am:13:   The usual way to define 'LIBTOOL' is to add 'LT_INIT'
src/utils/Makefile.am:13:   to 'configure.ac' and run 'aclocal' and 'autoconf' again.
src/utils/Makefile.am:13:   If 'LT_INIT' is in 'configure.ac', make sure
src/utils/Makefile.am:13:   its definition is in aclocal's search path.
autoreconf: error: automake failed with exit status: 1

Can you help me with this ?

Also, I read your statement "So far it has been integrated into QEMU and as a prototype into RunC (PR)" . Can you share with me some docs/commands to test this ?

To reproduce, You can use the docker image (registry.gitlab.com/lf-edge/runx/tests-artifacts/xen:4.16-arm64v8) for aarch64 alpine VM.

stefanberger commented 2 years ago

You may want to try to install the needed packages as shown in this file here: https://github.com/stefanberger/swtpm-distro-compile/blob/master/Dockerfile.alpine

ayankuma commented 2 years ago

Many thanks for the link.

I see there is a problem with the script.

/Users/ayankuma/alpine_vm/swtpm # echo "softhsm or certtool are crashing pkcs11 test case" { for f in test_tpm2_swtpm_localca_pkcs11.test test_tpm2_samples_swtpm_localca_pkcs11; do echo -en '#!/usr/bin/en
v bash'"\nexit 77\n" > tests/${f}; done; }
/bin/sh: syntax error: unexpected "do"
stefanberger commented 2 years ago

This particular script runs fine: https://app.travis-ci.com/github/stefanberger/swtpm-distro-compile/jobs/564960067

You don't need to run this script step by step to build swtpm.

stefanberger commented 2 years ago

Regarding QEMU, there's lots of information about VMs with attached vTPM and QEMU here: https://github.com/qemu/qemu/blob/master/docs/specs/tpm.rst

It's also possible to start a VM with an attached vTPM using libvirt. This is probably the easiest way to get started with when wanting to use a VM with attached vTPM particularly on a Fedora host where swtpm is already packaged. Install swtpm-tools first using dnf -y install swtpm-tools and then use this: https://libvirt.org/formatdomain.html#tpm-device

ayankuma commented 2 years ago

By following https://app.travis-ci.com/github/stefanberger/swtpm-distro-compile/jobs/564960067, I am able to build swtpm and libtpm.

Now I am trying to follow https://github.com/qemu/qemu/blob/master/docs/specs/tpm.rst

On one terminal, I have executed

/Users/ayankuma/alpine_vm/swtpm # swtpm socket --tpmstate dir=/tmp/myvtpm2 --ctrl type=unixio,path=/tmp/myvtpm2/swtpm-sock --log level=20 --tpm2

On another terminal, I get the following issue

/Users/ayankuma/alpine_vm/qemu # /Users/ayankuma/alpine_vm/qemu/build/qemu-system-i386 -m 1024 -boot d -bios ./pc-bios/bios-256k.bin -boot menu=on -chardev socket,id=chrtpm,path=/tmp/myvtpm2/swtpm2-sock -
tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis,tpmdev=tpm0  -monitor stdio  test.img
qemu-system-i386: -chardev socket,id=chrtpm,path=/tmp/myvtpm2/swtpm2-sock: Failed to connect to '/tmp/myvtpm2/swtpm2-sock': No such file or directory
/Users/ayankuma/alpine_vm/qemu # ls -ltr /tmp/myvtpm2/swtpm-sock
ls: /tmp/myvtpm2/swtpm-sock: No such file or directory

Do you know what I am missing ?

stefanberger commented 2 years ago

When I run this here in one terminal as user stefanb:

$ mkdir /tmp/myvtpm2
$ swtpm socket --tpmstate dir=/tmp/myvtpm2 --ctrl type=unixio,path=/tmp/myvtpm2/swtpm-sock --log level=20 --tpm2

Then I can see this here in another terminal:

$  ls -l /tmp/myvtpm2/
total 0
srwxrwx---. 1 stefanb stefanb 0 Apr  4 10:49 swtpm-sock

You have to see something similar otherwise it will not work.

Did make check on the swtpm project pass?

ayankuma commented 2 years ago

Did make check on the swtpm project pass?

Yes, some of the tests skipped. Logs -> https://pastebin.com/KP934Nf8

When I start swtpm, then I can see swtpm-sock get created

/build # ls /tmp/myvtpm2/
tpm2-00.permall
/build # which swtpm
/usr/bin/swtpm
/build # swtpm socket --tpmstate dir=/tmp/myvtpm2 --ctrl type=unixio,path=/tmp/myvtpm2/swtpm-sock --log level=20 --tpm2

^C
/build # ls -ltr /tmp/myvtpm2/
total 8
-rw-r-----    1 root     root          6002 Apr  4 13:24 tpm2-00.permall
srwxrwx---    1 root     root             0 Apr  5 10:10 swtpm-sock

Then I start swtpm in the same terminal as above :-

/build # swtpm socket --tpmstate dir=/tmp/myvtpm2 --ctrl type=unixio,path=/tmp/myvtpm2/swtpm-sock --log level=20 --tpm2

And I start qemu in the other terminal. But I see the issue :

/Users/ayankuma/alpine_vm/swtpm/src/swtpm # ls -ltr /tmp/myvtpm2
total 8
-rw-r-----    1 root     root          6002 Apr  4 13:24 tpm2-00.permall
srwxrwx---    1 root     root             0 Apr  5 10:05 swtpm-sock
/Users/ayankuma/alpine_vm/swtpm/src/swtpm # /Users/ayankuma/alpine_vm/qemu/build/qemu-system-i386 -m 1024 -boot d -bios ./pc-bios/bios-256k.bin -boot menu=on -chardev socket,id=chrtpm,path=/tmp/myvtpm2/sw
tpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis,tpmdev=tpm0  -monitor stdio  test.img 
qemu-system-i386: -chardev socket,id=chrtpm,path=/tmp/myvtpm2/swtpm-sock: Failed to connect to '/tmp/myvtpm2/swtpm-sock': Connection refused
/Users/ayankuma/alpine_vm/swtpm/src/swtpm #
stefanberger commented 2 years ago

I cannot recreate this locally on either an x86_64 or ppc64 host. 

$ qemu-system-i386 -tpmdev help
Supported TPM types (choose only one):
 passthrough   Passthrough TPM backend driver
    emulator   TPM emulator backend driver

$ qemu-system-i386 -m 1024 -boot d -bios ./pc-bios/bios-256k.bin -boot menu=on -chardev socket,id=chrtpm,path=/tmp/myvtpm2/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis,tpmdev=tpm0  -monitor stdio  test.img
WARNING: Image format was not specified for 'test.img' and probing guessed raw.
         Automatically detecting the format is dangerous for raw images, write operations on block 0 will be restricted.
         Specify the 'raw' format explicitly to remove the restrictions.
QEMU 6.2.0 monitor - type 'help' for more information
(qemu) q
ayankuma commented 2 years ago

Is it possible that I am not running the same instance of docker image ? I don't know why.

The reason for my doubt is the timestamp of 'swtpm-sock' being different in the two terminals.

stefanberger commented 2 years ago

Is it possible that I am not running the same instance of docker image ? I don't know why.

Please read the docker documentation on how to start two shells in the same docker container: https://docs.docker.com/engine/reference/commandline/cli/

ayankuma commented 2 years ago

Thanks, Now I got through the issue :-

bash-5.1# /Users/ayankuma/alpine_vm/qemu/build/qemu-system-i386 -m 1024 -boot d -bios /Users/ayankuma/alpine_vm/qemu/build/pc-bios/bios-256k.bin -boot menu=on -chardev socket,id=chrtpm,path=/tmp/myvtpm2/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis,tpmdev=tpm0  -monitor stdio  
QEMU 6.2.0 monitor - type 'help' for more information
(qemu) VNC server running on 127.0.0.1:5900

(qemu) 
(qemu) dmesg
unknown command: 'dmesg'
(qemu)

In the other terminal where swtpm is running, I could see the

bash-5.1# swtpm socket --tpmstate dir=/tmp/myvtpm2 --ctrl type=unixio,path=/tmp/myvtpm2/swtpm-sock --log level=20 --tpm2
 Ctrl Cmd: length 4
 00 00 00 10 
 Ctrl Rsp: length 4
 00 00 00 00 
 SWTPM_IO_Read: length 10
 80 01 00 00 00 0A 00 00 01 81 
 SWTPM_IO_Write: length 10
 80 01 00 00 00 0A 00 00 01 01 
 Ctrl Cmd: length 4
 00 00 00 01 
 Ctrl Rsp: length 8
 00 00 00 00 00 00 FF FF 
Data client disconnected
 Ctrl Cmd: length 4
 00 00 00 10 
 Ctrl Rsp: length 4
 00 00 00 00 
 SWTPM_IO_Read: length 10
 80 01 00 00 00 0A 00 00 01 81 
 SWTPM_IO_Write: length 10
 80 01 00 00 00 0A 00 00 01 01 
 Ctrl Cmd: length 4
 00 00 00 01 
 Ctrl Rsp: length 8
 00 00 00 00 00 00 FF FF 
 Ctrl Cmd: length 4
 00 00 00 0E 
 Ctrl Rsp: length 4
 00 00 00 00 
 Ctrl Cmd: length 8
 00 00 00 11 00 00 00 00 
 Ctrl Rsp: length 16
 00 00 00 00 00 00 10 00 00 00 0A F8 00 00 10 00 
 Ctrl Cmd: length 4
 00 00 00 0E 
 Ctrl Rsp: length 4
 00 00 00 00 
.........

I don't see qemu booting linux. Also, how do I generate test.img ?

stefanberger commented 2 years ago

I don't see qemu booting linux. Also, how do I generate test.img ?

Sorry, but this is way beyond the scope of the swtpm project. Please try to find something online on how to install VM images. You may be able to boot into a cdrom image that you pass via -cdrom <iso file> to qemu command line.

stefanberger commented 2 years ago

The build issues on Alpine linux aarch64 are resolved now, right?

ayankuma commented 2 years ago

Thanks, the build issues are resolved. I will have some further queries regarding the qemu tpm usage, but I will ask that as a discussion. Appreciate your help on this. :)

stefanberger commented 2 years ago

Can we close the issue?