On Mon, Feb 4, 2019 at 6:55 PM Luke Hinds <lhinds(a)redhat.com> wrote:

>
>
> On Mon, Feb 4, 2019 at 6:05 PM Andersen, John <john.s.andersen(a)intel.com>
> wrote:
>
>> On Mon, Feb 04, 2019 at 04:57:12PM +0000, Luke Hinds wrote:
>> >    On Mon, Feb 4, 2019 at 4:12 PM Roberts, William C
>> >    <[1]william.c.roberts(a)intel.com> wrote:
>> >
>> >      I run it in our CI system which is using a docker container, not
>> >      sure if that helps
>> >      But you can look at our scripts for it.
>> >
>> >    Do you mean the following travis-ci file:
>> >    [2]
>> https://github.com/tpm2-software/tpm2-abrmd/blob/master/.travis.yml#
>> >    L2
>> >    I noticed this, but I think its a VM (unless I am mistaken):
>> >    [3]
>> https://docs.travis-ci.com/user/reference/overview/#virtualization-e
>> >    nvironments
>> >    Any pointers to files that reference your container use, would be
>> >    helpful.
>> >    Cheers,
>> >    Luke
>> >
>> >      > -----Original Message-----
>> >      > From: tpm2 [mailto:[4]tpm2-bounces(a)lists.01.org] On Behalf Of
>> Luke
>> >      Hinds
>> >      > Sent: Monday, February 4, 2019 7:47 AM
>> >      > To: [5]tpm2(a)lists.01.org
>> >      > Subject: [tpm2] tpm2-abrmd in a container
>> >      >
>> >      > Hello,
>> >      >
>> >      > I have been working on trying to get tpm2-abrmd running in a
>> >      container, but its
>> >      > proving problematic as there is a requirement on system-d and
>> >      dbus. This in turn
>> >      > requires running the container as privileged and mounting the
>> >      hosts cgroup (and
>> >      > adding cap sys-admin).
>> >      >
>> >      > My reason for using a container, is for CI / functional testing
>> of
>> >      a project that will
>> >      > use abrmd and having a lightweight means to test against the
>> >      resource manager
>> >      > running in a container.
>> >      >
>> >      > I am still early in looking at ways to achieve this, so I wanted
>> >      to ask if any others
>> >      > have snippets of previous attempts (successful or not) they could
>> >      share?
>> >      >
>> >      > Thanks,
>> >      >
>> >      > Luke
>> >
>> >    --
>> > References
>> >
>> >    1. mailto:william.c.roberts(a)intel.com
>> >    2.
>> https://github.com/tpm2-software/tpm2-abrmd/blob/master/.travis.yml#L2
>> >    3.
>> https://docs.travis-ci.com/user/reference/overview/#virtualization-environments
>> >    4. mailto:tpm2-bounces(a)lists.01.org
>> >    5. mailto:tpm2(a)lists.01.org
>> >    6. mailto:lhinds(a)redhat.com
>>
>> Some dbus stuff happened in the tools repo recently. Not sure if this
>> would be
>> of help.
>>
>> https://github.com/tpm2-software/tpm2-tools/commit/9a6430ef293bc1a506224431af9370c7748f39b4
>>
>>
> That look's like just what I need, thanks!
>
>
>> > _______________________________________________
>> > tpm2 mailing list
>> > tpm2(a)lists.01.org
>> > https://lists.01.org/mailman/listinfo/tpm2
>>
>>
>
>
Almost have this working now or perhaps getting warmer. I am now looking
for some advice on what values and arguments I should be using to make sure
connectivity goes from tpm2-tools > tpm2-abrmd > tpm2 mssim

Within my container I run:

mkdir -p /var/run/dbus/
dbus-daemon --fork --system

start the simulator:

tpm_server &
[1] 24
[root(a)a2d41fb37bb3 src]# TPM command server listening on port 2321
Platform server listening on port 2322

If I now run:

[root(a)a2d41fb37bb3 src]# /usr/local/sbin/tpm2-abrmd --allow-root
--tcti=mssim &

I can see an active bus:

[root(a)a2d41fb37bb3 src]# dbus-send --system --dest=org.freedesktop.DBus
--type=method_call --print-reply /org/freedesktop/DBus
org.freedesktop.DBus.ListNames
method return time=1549380992.829764 sender=org.freedesktop.DBus ->
destination=:1.7 serial=3 reply_serial=2
   array [
      string "org.freedesktop.DBus"
      string ":1.7"
      string "com.intel.tss2.Tabrmd"
      string ":1.6"
   ]


[root(a)a2d41fb37bb3 src]# dbus-send --system --dest=com.intel.tss2.Tabrmd
--type=method_call --print-reply /com/intel/tss2/Tabrmd/Tcti
org.freedesktop.DBus.Introspectable.Introspect
method return time=1549381010.989948 sender=:1.6 -> destination=:1.8
serial=7 reply_serial=2
   string "<!DOCTYPE node PUBLIC "-//freedesktop//DTD D-BUS Object
Introspection 1.0//EN"
                      "
http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd">
<!-- GDBus 2.58.3 -->
<node>
  <interface name="org.freedesktop.DBus.Properties">
    <method name="Get">
      <arg type="s" name="interface_name" direction="in"/>
      <arg type="s" name="property_name" direction="in"/>
      <arg type="v" name="value" direction="out"/>
    </method>
    <method name="GetAll">
      <arg type="s" name="interface_name" direction="in"/>
      <arg type="a{sv}" name="properties" direction="out"/>
    </method>
    <method name="Set">
      <arg type="s" name="interface_name" direction="in"/>
      <arg type="s" name="property_name" direction="in"/>
      <arg type="v" name="value" direction="in"/>
    </method>
    <signal name="PropertiesChanged">
      <arg type="s" name="interface_name"/>
      <arg type="a{sv}" name="changed_properties"/>
      <arg type="as" name="invalidated_properties"/>
    </signal>
  </interface>
  <interface name="org.freedesktop.DBus.Introspectable">
    <method name="Introspect">
      <arg type="s" name="xml_data" direction="out"/>
    </method>
  </interface>
  <interface name="org.freedesktop.DBus.Peer">
    <method name="Ping"/>
    <method name="GetMachineId">
      <arg type="s" name="machine_uuid" direction="out"/>
    </method>
  </interface>
  <interface name="com.intel.tss2.TctiTabrmd">
    <method name="CreateConnection">
      <arg type="ah" name="fds" direction="out"/>
      <arg type="t" name="id" direction="out"/>
    </method>
    <method name="Cancel">
      <arg type="t" name="id" direction="in"/>
      <arg type="u" name="return_code" direction="out"/>
    </method>
    <method name="SetLocality">
      <arg type="t" name="id" direction="in"/>
      <arg type="y" name="locality" direction="in"/>
      <arg type="u" name="return_code" direction="out"/>
    </method>
  </interface>
</node>

The part I am now not sure of, is how to configure TPM2TOOLS_TCTI and what
args should be used for the RM.

As it is, its expected with TPM2TOOLS_TCTI undeclared  :

[root(a)a2d41fb37bb3 src]# tpm2_pcrlist
ERROR:tcti:src/tss2-tcti/tcti-device.c:399:Tss2_Tcti_Device_Init() Failed
to open device file /dev/tpm0: No such file or directory
ERROR: tcti init allocation routine failed for library: "device" options:
"(null)"
ERROR: Could not load tcti, got: "device"

I have then tried different variations:

export TPM2TOOLS_TCTI="mssim:host=localhost,port=2321"
export TPM2TOOLS_TCTI="mssim:port=2321"
export TPM2TOOLS_TCTI="mssim:tcp://127.0.0.1:2321"

I am guessing this would be wrong though? I don't want the tools connecting
to the mssim, I want them connecting to the resource manager.

I should also mention, none of the above work - running `tpm2_pcrlist` just
results in the command hanging and needing a ctrl c to break out.

[root(a)a2d41fb37bb3 src]# export
TPM2TOOLS_TCTI="tabrmd:bus_name=com.intel.tss2.Tabrmd,tabrmd:bus_type=session"
[root(a)a2d41fb37bb3 src]# tpm2_pcrlist
ERROR: Could not dlopen library: "tabrmd"
ERROR: Could not load tcti, got: "tabrmd"

So I then tried try this:

[root(a)a2d41fb37bb3 src]# /usr/local/sbin/tpm2-abrmd --allow-root
--tcti=libtss2-tcti-mssim.so &
[root(a)a2d41fb37bb3 src]# export TPM2TOOLS_TCTI="mssim:port=2321"
[root(a)a2d41fb37bb3 src]# tpm2_pcrlist

Unfortunately the command just hangs, needing a ctrl-c to break the session.

I am aware I may be "making a pigs ear" of this, if so excuse my
green'ness.

If anyone can point me towards what args I should be using for the
connectivity flow I outlined towards the start of this email, that would be
great!

Thanks,

Luke