[next] Support virtualized TPM attachments to qemu VMS, plus refactor.#346
Open
amstewart wants to merge 4 commits into
Open
[next] Support virtualized TPM attachments to qemu VMS, plus refactor.#346amstewart wants to merge 4 commits into
amstewart wants to merge 4 commits into
Conversation
4 tasks
amstewart
force-pushed
the
feat/next/device-encryption
branch
from
c5baa6e to
18ea701
Compare
Contributor
Author
|
meta-nilrt 977 has been merged, unblocking this PR. Patch V2
|
chaitu236
reviewed
May 28, 2026
amstewart
force-pushed
the
feat/next/device-encryption
branch
from
18ea701 to
1a7b4a1
Compare
Contributor
Author
Patch v2
|
added 4 commits
May 29, 2026 15:26
QEMU throws an error when executing the start script like ... ``` qemu-system-x86_64: -drive if=pflash,format=raw,readonly,file=./OVMF/OVMF_CODE.fd: warning: short-form boolean option 'readonly' deprecated Please use readonly=on instead ``` Use the new option syntax to satisfy the warning. Signed-off-by: Alex Stewart <alex.stewart@emerson.com>
Using the swtpm package, linux users can emulate a TPM device - which is useful when testing Secure Boot and NI Device Encryption workflows locally. Add a `-t` option to the QEMU start script that creates and attaches a software TPM to the VM. Signed-off-by: Alex Stewart <alex.stewart@emerson.com>
The build.vms.sh pipeline script and associated vm-resources are somewhat difficult to comprehend and also use a statically built OVMF UEFI BIOS. In order to support TPM-based secure-boot/measured-boot testing, we should use the OVMF output from OE. While we're here, refactor the build.vms tooling to use a Makefile in a directory called `qemu`, which is hopefully a little easier to maintain. Signed-off-by: Alex Stewart <alex.stewart@emerson.com>
Docker issues two warnings with the current Dockerfile. 1. Warns that the PYREX_IMAGE arg can have a blank value, resulting in an invalid Dockerfile. This is mostly fine, but change to let it use `pyrex-oe` as a default, so that docker will stop complaining. 2. Warns that 'FROM' and 'as' on line 2 use different casing. So make them both uppercase. Signed-off-by: Alex Stewart <alex.stewart@emerson.com>
amstewart
force-pushed
the
feat/next/device-encryption
branch
from
1a7b4a1 to
9f02ddf
Compare
Contributor
Author
Patch v3
|
chaitu236
reviewed
Jun 2, 2026
chaitu236
left a comment
chaitu236
left a comment
Contributor
There was a problem hiding this comment.
Everthing else looks fine except removal of build.vms.sh
Contributor
Author
|
BLOCKED. Block this PR merge until Jeff and I resolve his PR here. |
jpautler
reviewed
Jun 12, 2026
| s) | ||
| snapshot=true | ||
| ;; | ||
| t) |
Contributor
There was a problem hiding this comment.
Should we have an explicit check/error if swtpm_setup can't run? Something like this:
t)
if ! command -v swtpm_setup &>/dev/null; then
echo "ERROR: -t requires swtpm-tools, but it is not installed or not in PATH" >&2
exit 1
fi
tpm=true
;;
jpautler
reviewed
Jun 12, 2026
| ni_provisioning.answers.iso | ||
| $(primary_disk_path) : $(vmdeps) | ||
| rm -f "$@" | ||
| qemu-img create -f qcow2 "$@" "$(DISK_SIZE_MB)""M" |
Contributor
There was a problem hiding this comment.
Should qemu-img be wrapped with $(PYREX_RUN) like is done for qemu-system-x86_64? Looks like it used to be wrapped in the previous build.vms.sh.
jpautler
suggested changes
Jun 12, 2026
jpautler
left a comment
jpautler
left a comment
Contributor
There was a problem hiding this comment.
LGTM other than the couple open comments and the separate PR with Makefile changes.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changes
-t). When asserted, the script will create, initialize, and attach a virtualized TPM2.0 device to the VM using theswtpmdistro package on the host machine.build.vms.shbash script, use a Makefile - where the logic is easeier to parse.ovmfrecipe in OE-core to build the UEFI firmware, instead of using a static copy from somewhere.AB#3752806
Testing
Process
Suggested Reviewers: