From: Luke Hinds <lhinds at redhat.com>
To: tpm2@lists.01.org
Subject: Re: [tpm2] tpm2-abrmd in a container
Date: Tue, 05 Feb 2019 15:40:23 +0000 [thread overview]
Message-ID: <CAKrSGQQuBEhFxNXvX_bEOzaG6YOKXVRQSLE5Nxvouqrf4vCZNQ@mail.gmail.com> (raw)
In-Reply-To: CAKrSGQQB1+L9EUSYkV2oHa8q_U8AjsmWF4=2=-1nd0wL-K8MxQ@mail.gmail.com
[-- Attachment #1: Type: text/plain, Size: 8127 bytes --]
On Mon, Feb 4, 2019 at 6:55 PM Luke Hinds <lhinds(a)redhat.com> wrote:
>
>
> On Mon, Feb 4, 2019 at 6:05 PM Andersen, John <john.s.andersen(a)intel.com>
> wrote:
>
>> On Mon, Feb 04, 2019 at 04:57:12PM +0000, Luke Hinds wrote:
>> > On Mon, Feb 4, 2019 at 4:12 PM Roberts, William C
>> > <[1]william.c.roberts(a)intel.com> wrote:
>> >
>> > I run it in our CI system which is using a docker container, not
>> > sure if that helps
>> > But you can look at our scripts for it.
>> >
>> > Do you mean the following travis-ci file:
>> > [2]
>> https://github.com/tpm2-software/tpm2-abrmd/blob/master/.travis.yml#
>> > L2
>> > I noticed this, but I think its a VM (unless I am mistaken):
>> > [3]
>> https://docs.travis-ci.com/user/reference/overview/#virtualization-e
>> > nvironments
>> > Any pointers to files that reference your container use, would be
>> > helpful.
>> > Cheers,
>> > Luke
>> >
>> > > -----Original Message-----
>> > > From: tpm2 [mailto:[4]tpm2-bounces(a)lists.01.org] On Behalf Of
>> Luke
>> > Hinds
>> > > Sent: Monday, February 4, 2019 7:47 AM
>> > > To: [5]tpm2(a)lists.01.org
>> > > Subject: [tpm2] tpm2-abrmd in a container
>> > >
>> > > Hello,
>> > >
>> > > I have been working on trying to get tpm2-abrmd running in a
>> > container, but its
>> > > proving problematic as there is a requirement on system-d and
>> > dbus. This in turn
>> > > requires running the container as privileged and mounting the
>> > hosts cgroup (and
>> > > adding cap sys-admin).
>> > >
>> > > My reason for using a container, is for CI / functional testing
>> of
>> > a project that will
>> > > use abrmd and having a lightweight means to test against the
>> > resource manager
>> > > running in a container.
>> > >
>> > > I am still early in looking at ways to achieve this, so I wanted
>> > to ask if any others
>> > > have snippets of previous attempts (successful or not) they could
>> > share?
>> > >
>> > > Thanks,
>> > >
>> > > Luke
>> >
>> > --
>> > References
>> >
>> > 1. mailto:william.c.roberts(a)intel.com
>> > 2.
>> https://github.com/tpm2-software/tpm2-abrmd/blob/master/.travis.yml#L2
>> > 3.
>> https://docs.travis-ci.com/user/reference/overview/#virtualization-environments
>> > 4. mailto:tpm2-bounces(a)lists.01.org
>> > 5. mailto:tpm2(a)lists.01.org
>> > 6. mailto:lhinds(a)redhat.com
>>
>> Some dbus stuff happened in the tools repo recently. Not sure if this
>> would be
>> of help.
>>
>> https://github.com/tpm2-software/tpm2-tools/commit/9a6430ef293bc1a506224431af9370c7748f39b4
>>
>>
> That look's like just what I need, thanks!
>
>
>> > _______________________________________________
>> > tpm2 mailing list
>> > tpm2(a)lists.01.org
>> > https://lists.01.org/mailman/listinfo/tpm2
>>
>>
>
>
Almost have this working now or perhaps getting warmer. I am now looking
for some advice on what values and arguments I should be using to make sure
connectivity goes from tpm2-tools > tpm2-abrmd > tpm2 mssim
Within my container I run:
mkdir -p /var/run/dbus/
dbus-daemon --fork --system
start the simulator:
tpm_server &
[1] 24
[root(a)a2d41fb37bb3 src]# TPM command server listening on port 2321
Platform server listening on port 2322
If I now run:
[root(a)a2d41fb37bb3 src]# /usr/local/sbin/tpm2-abrmd --allow-root
--tcti=mssim &
I can see an active bus:
[root(a)a2d41fb37bb3 src]# dbus-send --system --dest=org.freedesktop.DBus
--type=method_call --print-reply /org/freedesktop/DBus
org.freedesktop.DBus.ListNames
method return time=1549380992.829764 sender=org.freedesktop.DBus ->
destination=:1.7 serial=3 reply_serial=2
array [
string "org.freedesktop.DBus"
string ":1.7"
string "com.intel.tss2.Tabrmd"
string ":1.6"
]
[root(a)a2d41fb37bb3 src]# dbus-send --system --dest=com.intel.tss2.Tabrmd
--type=method_call --print-reply /com/intel/tss2/Tabrmd/Tcti
org.freedesktop.DBus.Introspectable.Introspect
method return time=1549381010.989948 sender=:1.6 -> destination=:1.8
serial=7 reply_serial=2
string "<!DOCTYPE node PUBLIC "-//freedesktop//DTD D-BUS Object
Introspection 1.0//EN"
"
http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd">
<!-- GDBus 2.58.3 -->
<node>
<interface name="org.freedesktop.DBus.Properties">
<method name="Get">
<arg type="s" name="interface_name" direction="in"/>
<arg type="s" name="property_name" direction="in"/>
<arg type="v" name="value" direction="out"/>
</method>
<method name="GetAll">
<arg type="s" name="interface_name" direction="in"/>
<arg type="a{sv}" name="properties" direction="out"/>
</method>
<method name="Set">
<arg type="s" name="interface_name" direction="in"/>
<arg type="s" name="property_name" direction="in"/>
<arg type="v" name="value" direction="in"/>
</method>
<signal name="PropertiesChanged">
<arg type="s" name="interface_name"/>
<arg type="a{sv}" name="changed_properties"/>
<arg type="as" name="invalidated_properties"/>
</signal>
</interface>
<interface name="org.freedesktop.DBus.Introspectable">
<method name="Introspect">
<arg type="s" name="xml_data" direction="out"/>
</method>
</interface>
<interface name="org.freedesktop.DBus.Peer">
<method name="Ping"/>
<method name="GetMachineId">
<arg type="s" name="machine_uuid" direction="out"/>
</method>
</interface>
<interface name="com.intel.tss2.TctiTabrmd">
<method name="CreateConnection">
<arg type="ah" name="fds" direction="out"/>
<arg type="t" name="id" direction="out"/>
</method>
<method name="Cancel">
<arg type="t" name="id" direction="in"/>
<arg type="u" name="return_code" direction="out"/>
</method>
<method name="SetLocality">
<arg type="t" name="id" direction="in"/>
<arg type="y" name="locality" direction="in"/>
<arg type="u" name="return_code" direction="out"/>
</method>
</interface>
</node>
The part I am now not sure of, is how to configure TPM2TOOLS_TCTI and what
args should be used for the RM.
As it is, its expected with TPM2TOOLS_TCTI undeclared :
[root(a)a2d41fb37bb3 src]# tpm2_pcrlist
ERROR:tcti:src/tss2-tcti/tcti-device.c:399:Tss2_Tcti_Device_Init() Failed
to open device file /dev/tpm0: No such file or directory
ERROR: tcti init allocation routine failed for library: "device" options:
"(null)"
ERROR: Could not load tcti, got: "device"
I have then tried different variations:
export TPM2TOOLS_TCTI="mssim:host=localhost,port=2321"
export TPM2TOOLS_TCTI="mssim:port=2321"
export TPM2TOOLS_TCTI="mssim:tcp://127.0.0.1:2321"
I am guessing this would be wrong though? I don't want the tools connecting
to the mssim, I want them connecting to the resource manager.
I should also mention, none of the above work - running `tpm2_pcrlist` just
results in the command hanging and needing a ctrl c to break out.
[root(a)a2d41fb37bb3 src]# export
TPM2TOOLS_TCTI="tabrmd:bus_name=com.intel.tss2.Tabrmd,tabrmd:bus_type=session"
[root(a)a2d41fb37bb3 src]# tpm2_pcrlist
ERROR: Could not dlopen library: "tabrmd"
ERROR: Could not load tcti, got: "tabrmd"
So I then tried try this:
[root(a)a2d41fb37bb3 src]# /usr/local/sbin/tpm2-abrmd --allow-root
--tcti=libtss2-tcti-mssim.so &
[root(a)a2d41fb37bb3 src]# export TPM2TOOLS_TCTI="mssim:port=2321"
[root(a)a2d41fb37bb3 src]# tpm2_pcrlist
Unfortunately the command just hangs, needing a ctrl-c to break the session.
I am aware I may be "making a pigs ear" of this, if so excuse my
green'ness.
If anyone can point me towards what args I should be using for the
connectivity flow I outlined towards the start of this email, that would be
great!
Thanks,
Luke
[-- Attachment #2: attachment.html --]
[-- Type: text/html, Size: 14114 bytes --]
next reply other threads:[~2019-02-05 15:40 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-05 15:40 Luke Hinds [this message]
-- strict thread matches above, loose matches on Subject: below --
2019-02-06 7:50 [tpm2] tpm2-abrmd in a container Luke Hinds
2019-02-06 0:43 Javier Martinez Canillas
2019-02-04 18:55 Luke Hinds
2019-02-04 18:08 Andersen, John
2019-02-04 16:57 Luke Hinds
2019-02-04 16:11 Roberts, William C
2019-02-04 15:46 Luke Hinds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAKrSGQQuBEhFxNXvX_bEOzaG6YOKXVRQSLE5Nxvouqrf4vCZNQ@mail.gmail.com \
--to=tpm2@lists.01.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.