Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

qemu_template.sh: Add support for attaching a software TPM #1827

Merged
merged 6 commits into from
Apr 4, 2024
Merged

qemu_template.sh: Add support for attaching a software TPM #1827

merged 6 commits into from
Apr 4, 2024

Conversation

pothos
Copy link
Member

@pothos pothos commented Apr 3, 2024
edited

  • qemu_template.sh: Add support for attaching a software TPM

    For testing TPM2-backed rootfs encryption it is handy to have a software
    TPM option for the qemu script.
    Add a flag for a software TPM with swtpm like kola also does. The user
    has to specify a folder for the secret state and this won't be removed
    because the same store should be able to be passed when booting the VM
    again after shutdown.

  • vm_image_util.sh: Bump default VM memory to 2 GB

    While Flatcar itself runs fine with 1 GB, many workloads do not and
    having to debug this is time consuming when one forgets to bump the VM
    memory, e.g., in the Qemu script.
    Default to 2 GB as known-good setting for things like Kubernetes or
    setting up LUKS devices.

  • qemu_template.sh: Allow parameters for VM image and memory

    When testing multiple images one always has to copy them to the
    expected file name, and when trying to run two VMs this means one needs
    to either use separate directories or modify the qemu script. One also
    needs to modify the qemu script to bump the memory for K8s or for LUKS.

    Support parameters for the VM image name and the VM memory.

(Note that the kola tests for qemu and vmware all use 2 GB or slightly more. Thus it makes sense to default to this as well in the release artifacts we provide to the users.)

How to use

./flatcar_production_qemu.sh -T myswtpmdir

Testing done

The above and verified that the swtpm process gets cleaned up even when qemu doesn't start, e.g., ./flatcar_production_qemu.sh -T swtpm-dir -- -unknown-arg

Downloaded rendered template and checked that memory and image location settings work.

  • Changelog entries added in the respective changelog/ directory (user-facing change, bug fix, security fix, update)
  • Inspected CI output for image differences: /boot and /usr size, packages, list files for any missing binaries, kernel modules, config files, kernel modules, etc.

@pothos pothos requested a review from a team April 3, 2024 12:11
@github-actions GitHub Actions
Copy link

github-actions bot commented Apr 3, 2024
edited

Build action triggered: https://github.com/flatcar/scripts/actions/runs/8549074654

@pothos
qemu_template.sh: Allow parameters for VM image and memory
4d5e464 
When testing multiple images one always has to copy them to the
expected file name, and when trying to run two VMs this means one needs
to either use separate directories or modify the qemu script. One also
needs to modify the qemu script to bump the memory for K8s or for LUKS.

Support parameters for the VM image name and the VM memory.
@pothos
vm_image_util.sh: Bump default VM memory to 2 GB
7379db3 
While Flatcar itself runs fine with 1 GB, many workloads do not and
having to debug this is time consuming when one forgets to bump the VM
memory, e.g., in the Qemu script.
Default to 2 GB as known-good setting for things like Kubernetes or
setting up LUKS devices.
@pothos
qemu_template.sh: Add support for attaching a software TPM
48780dc 
For testing TPM2-backed rootfs encryption it is handy to have a software
TPM option for the qemu script.
Add a flag for a software TPM with swtpm like kola also does. The user
has to specify a folder for the secret state and this won't be removed
because the same store should be able to be passed when booting the VM
again after shutdown.
@pothos
qemu_template.sh: Allow parameters for VM pflash firmware
71866e4 
The qemu UEFI and regular qemu script only differ by having a default
value for the firmware. If one tries to switch between different
firmwares one normally would modify the script.
Make it easier to switch boot modes and use custom firmwares by
supporting a flag to set the pflash contents.
@pothos
Copy link
Member Author

pothos commented Apr 4, 2024
edited

Pushed one more change to also allow setting the pflash contents through a flag to switch between firmwares more easily, e.g., BIOS, UEFI, and UEFI with Secure Boot.

Edit: And for the PXE boot script two parameters to set the kernel and initrd files to be used.

@pothos
build_library/qemu_template.sh: Add notes for swtpm init commands
9d3200b 
For the swtpm version in Ubuntu some init command is required first.
@pothos
qemu_template.sh: Allow parameters for kernel and initrd
5e7b4b6 
With the PXE script it is easy to boot different versions from one
folder without any copies because the kernel and PXE initrd are always
"fresh".
Instead of only supporting hardcoded file names, support parameters for
the kernel and initrd file to be used.
@pothos pothos requested a review from a team April 4, 2024 07:55
@pothos pothos merged commit 395c884 into main Apr 4, 2024
1 check failed
@pothos pothos deleted the kai/qemu-swtpm branch April 4, 2024 08:21
@github-actions github-actions bot mentioned this pull request Apr 22, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ader1990 ader1990 ader1990 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@pothos @ader1990