diff options
Diffstat (limited to 'meta-security/meta-parsec')
6 files changed, 251 insertions, 7 deletions
diff --git a/meta-security/meta-parsec/README.md b/meta-security/meta-parsec/README.md index 97026ea602..f720cd24a7 100644 --- a/meta-security/meta-parsec/README.md +++ b/meta-security/meta-parsec/README.md @@ -88,6 +88,71 @@ https://github.com/meta-rust/cargo-bitbake 2. Run cargo-bitbake inside the repository. It will produce a BB file. 3. Create a new include file with SRC_URI and LIC_FILES_CHKSUM from the BB file. +Automated Parsec testing with runqemu +===================================== + + The Yocto build system has the ability to run a series of automated tests for qemu images. +All the tests are actually commands run on the target system over ssh. + + Meta-parsec includes automated unittests which run end to end Parsec tests. +The tests are run against: +- all providers pre-configured in the Parsec config file included in the image. +- PKCS11 and TPM providers with software backends if softhsm and + swtpm packages included in the image. + +Meta-parsec also contains a recipe for `security-parsec-image` image with Parsec, +softhsm and swtpm included. + + Please notice that the account you use to run bitbake should have access to `/dev/kvm`. +You might need to change permissions or add the account into `kvm` unix group. + +1. Testing Parsec with your own image where `parsec-service` and `parsec-tool` are already included. + +- Add into your `local.conf`: +``` +INHERIT += "testimage" +TEST_SUITES = "ping ssh parsec" +``` +- Build your image +```bash +bitbake <your-image> +``` +- Run tests +```bash +bitbake <your-image> -c testimage +``` + +2. Testing Parsec with pre-defined `security-parsec-image` image. + +- Add into your `local.conf`: +``` +DISTRO_FEATURES += " tpm2" +INHERIT += "testimage" +TEST_SUITES = "ping ssh parsec" +``` +- Build security-parsec-image image +```bash +bitbake security-parsec-image +``` +- Run tests +```bash +bitbake security-parsec-image -c testimage +``` + +Output of a successfull tests run should look similar to: +``` +RESULTS: +RESULTS - ping.PingTest.test_ping: PASSED (0.05s) +RESULTS - ssh.SSHTest.test_ssh: PASSED (0.25s) +RESULTS - parsec.ParsecTest.test_all_providers: PASSED (1.84s) +RESULTS - parsec.ParsecTest.test_pkcs11_provider: PASSED (2.91s) +RESULTS - parsec.ParsecTest.test_tpm_provider: PASSED (3.33s) +SUMMARY: +security-parsec-image () - Ran 5 tests in 8.386s +security-parsec-image - OK - All required tests passed (successes=5, skipped=0, failures=0, errors=0) +``` + + Manual testing with runqemu =========================== diff --git a/meta-security/meta-parsec/lib/oeqa/runtime/cases/parsec.py b/meta-security/meta-parsec/lib/oeqa/runtime/cases/parsec.py new file mode 100644 index 0000000000..d3d3f2e0ce --- /dev/null +++ b/meta-security/meta-parsec/lib/oeqa/runtime/cases/parsec.py @@ -0,0 +1,138 @@ +# Copyright (C) 2022 Armin Kuster <akuster808@gmail.com> +# Copyright (C) 2022 Anton Antonov <Anton.Antonov@arm.com> +# +import re +from tempfile import mkstemp + +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.core.decorator.depends import OETestDepends +from oeqa.runtime.decorator.package import OEHasPackage +from oeqa.core.decorator.data import skipIfNotFeature + +class ParsecTest(OERuntimeTestCase): + @classmethod + def setUpClass(cls): + cls.toml_file = '/etc/parsec/config.toml' + + def setUp(self): + super(ParsecTest, self).setUp() + if 'systemd' in self.tc.td['DISTRO_FEATURES']: + self.parsec_status='systemctl status -l parsec' + self.parsec_reload='systemctl restart parsec' + else: + self.parsec_status='pgrep -l parsec' + self.parsec_reload='/etc/init.d/parsec reload' + + def copy_subconfig(self, cfg, provider): + """ Copy a provider configuration to target and append it to Parsec config """ + + tmp_fd, tmp_path = mkstemp() + with os.fdopen(tmp_fd, 'w') as f: + f.write('\n'.join(cfg)) + + (status, output) = self.target.copyTo(tmp_path, "%s-%s" % (self.toml_file, provider)) + self.assertEqual(status, 0, msg='File could not be copied.\n%s' % output) + status, output = self.target.run('cat %s-%s >>%s' % (self.toml_file, provider, self.toml_file)) + os.remove(tmp_path) + + def check_parsec_providers(self, provider=None, prov_id=None): + """ Get Parsec providers list and check for one if defined """ + + status, output = self.target.run(self.parsec_status) + self.assertEqual(status, 0, msg='Parsec service is not running.\n%s' % output) + + status, output = self.target.run('parsec-tool list-providers') + self.assertEqual(status, 0, msg='Cannot get a list of Parsec providers.\n%s' % output) + if provider and prov_id: + self.assertIn("ID: 0x0%d (%s provider)" % (prov_id, provider), + output, msg='%s provider is not configured.' % provider) + + def run_cli_tests(self, prov_id=None): + """ Run Parsec CLI end-to-end tests against one or all providers """ + + status, output = self.target.run('parsec-cli-tests.sh %s' % ("-%d" % prov_id if prov_id else "")) + self.assertEqual(status, 0, msg='Parsec CLI tests failed.\n %s' % output) + + @OEHasPackage(['parsec-service']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_all_providers(self): + """ Test Parsec service with all pre-defined providers """ + + self.check_parsec_providers() + self.run_cli_tests() + + def configure_tpm_provider(self): + """ Create Parsec TPM provider configuration """ + + cfg = [ + '', + '[[provider]]', + 'name = "tpm-provider"', + 'provider_type = "Tpm"', + 'key_info_manager = "sqlite-manager"', + 'tcti = "swtpm:port=2321"', + 'owner_hierarchy_auth = ""', + ] + self.copy_subconfig(cfg, "TPM") + + cmds = [ + 'mkdir /tmp/myvtpm', + 'swtpm socket -d --tpmstate dir=/tmp/myvtpm --tpm2 --ctrl type=tcp,port=2322 --server type=tcp,port=2321 --flags not-need-init', + 'tpm2_startup -c -T "swtpm:port=2321"', + self.parsec_reload, + ] + + for cmd in cmds: + status, output = self.target.run(cmd) + self.assertEqual(status, 0, msg='\n'.join([cmd, output])) + + @OEHasPackage(['parsec-service']) + @OEHasPackage(['swtpm']) + @skipIfNotFeature('tpm2','Test parsec_tpm_provider requires tpm2 to be in DISTRO_FEATURES') + @OETestDepends(['ssh.SSHTest.test_ssh', 'parsec.ParsecTest.test_all_providers']) + def test_tpm_provider(self): + """ Configure and test Parsec TPM provider with swtpm as a backend """ + + prov_id = 3 + self.configure_tpm_provider() + self.check_parsec_providers("TPM", prov_id) + self.run_cli_tests(prov_id) + + def configure_pkcs11_provider(self): + """ Create Parsec PKCS11 provider configuration """ + + status, output = self.target.run('softhsm2-util --init-token --free --label "Parsec Service" --pin 123456 --so-pin 123456') + self.assertEqual(status, 0, msg='Failed to init PKCS11 token.\n%s' % output) + + slot = re.search('The token has been initialized and is reassigned to slot (\d*)', output) + if slot is None: + self.fail('Failed to get PKCS11 slot serial number.\n%s' % output) + self.assertNotEqual(slot.group(1), None, msg='Failed to get PKCS11 slot serial number.\n%s' % output) + + cfg = [ + '', + '[[provider]]', + 'name = "pkcs11-provider"', + 'provider_type = "Pkcs11"', + 'key_info_manager = "sqlite-manager"', + 'library_path = "/usr/lib/softhsm/libsofthsm2.so"', + 'slot_number = %s' % slot.group(1), + 'user_pin = "123456"', + 'allow_export = true', + ] + self.copy_subconfig(cfg, "PKCS11") + + status, output = self.target.run('for d in /var/lib/softhsm/tokens/*; do chown -R parsec $d; done') + status, output = self.target.run(self.parsec_reload) + self.assertEqual(status, 0, msg='Failed to reload Parsec.\n%s' % output) + + @OEHasPackage(['parsec-service']) + @OEHasPackage(['softhsm']) + @OETestDepends(['ssh.SSHTest.test_ssh', 'parsec.ParsecTest.test_all_providers']) + def test_pkcs11_provider(self): + """ Configure and test Parsec PKCS11 provider with softhsm as a backend """ + + prov_id = 2 + self.configure_pkcs11_provider() + self.check_parsec_providers("PKCS #11", prov_id) + self.run_cli_tests(prov_id) diff --git a/meta-security/meta-parsec/recipes-core/images/security-parsec-image.bb b/meta-security/meta-parsec/recipes-core/images/security-parsec-image.bb new file mode 100644 index 0000000000..7add74b940 --- /dev/null +++ b/meta-security/meta-parsec/recipes-core/images/security-parsec-image.bb @@ -0,0 +1,18 @@ +DESCRIPTION = "A small image for testing Parsec service with MbedCrypto, TPM and PKCS11 providers" + +inherit core-image + +IMAGE_FEATURES += "ssh-server-openssh" + +IMAGE_INSTALL = "\ + packagegroup-base \ + packagegroup-core-boot \ + packagegroup-security-tpm2 \ + packagegroup-security-parsec \ + swtpm \ + softhsm \ + os-release" + +export IMAGE_BASENAME = "security-parsec-image" + +IMAGE_ROOTFS_EXTRA_SPACE = "5242880" diff --git a/meta-security/meta-parsec/recipes-core/packagegroups/packagegroup-security-parsec.bb b/meta-security/meta-parsec/recipes-core/packagegroups/packagegroup-security-parsec.bb new file mode 100644 index 0000000000..0af9c3d3ba --- /dev/null +++ b/meta-security/meta-parsec/recipes-core/packagegroups/packagegroup-security-parsec.bb @@ -0,0 +1,16 @@ +DESCRIPTION = "Parsec Security packagegroup for Poky" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \ + file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +inherit packagegroup + +PACKAGES = "\ + packagegroup-security-parsec \ + " + +SUMMARY:packagegroup-security-parsec = "Security Parsec" +RDEPENDS:packagegroup-security-parsec = "\ + parsec-tool \ + parsec-service \ + " diff --git a/meta-security/meta-parsec/recipes-parsec/parsec-service/files/parsec-tmpfiles.conf b/meta-security/meta-parsec/recipes-parsec/parsec-service/files/parsec-tmpfiles.conf index fe576a27fe..954bfa3b59 100644 --- a/meta-security/meta-parsec/recipes-parsec/parsec-service/files/parsec-tmpfiles.conf +++ b/meta-security/meta-parsec/recipes-parsec/parsec-service/files/parsec-tmpfiles.conf @@ -1,2 +1,3 @@ #Type Path Mode User Group Age Argument d /run/parsec 755 parsec parsec - - +d /var/lib/parsec 700 parsec parsec - - diff --git a/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb b/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb index d1d6c07ad0..84539f9b25 100644 --- a/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb +++ b/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb @@ -15,8 +15,8 @@ PACKAGECONFIG ??= "PKCS11 MBED-CRYPTO" have_TPM = "${@bb.utils.contains('DISTRO_FEATURES', 'tpm2', 'TPM', '', d)}" PACKAGECONFIG:append = " ${@bb.utils.contains('BBFILE_COLLECTIONS', 'tpm-layer', '${have_TPM}', '', d)}" -PACKAGECONFIG[ALL] = "all-providers cryptoki/generate-bindings tss-esapi/generate-bindings,,tpm2-tss libts,libts" -PACKAGECONFIG[TPM] = "tpm-provider tss-esapi/generate-bindings,,tpm2-tss" +PACKAGECONFIG[ALL] = "all-providers cryptoki/generate-bindings tss-esapi/generate-bindings,,tpm2-tss libts,tpm2-tss libtss2-tcti-device libts" +PACKAGECONFIG[TPM] = "tpm-provider tss-esapi/generate-bindings,,tpm2-tss,tpm2-tss libtss2-tcti-device" PACKAGECONFIG[PKCS11] = "pkcs11-provider cryptoki/generate-bindings," PACKAGECONFIG[MBED-CRYPTO] = "mbed-crypto-provider," PACKAGECONFIG[CRYPTOAUTHLIB] = "cryptoauthlib-provider," @@ -25,6 +25,13 @@ PACKAGECONFIG[TS] = "trusted-service-provider,,libts,libts" PARSEC_FEATURES = "${@d.getVar('PACKAGECONFIG_CONFARGS',True).strip().replace(' ', ',')}" CARGO_BUILD_FLAGS += " --features ${PARSEC_FEATURES}" +export BINDGEN_EXTRA_CLANG_ARGS +target = "${@d.getVar('TARGET_SYS',True).replace('-', ' ')}" +BINDGEN_EXTRA_CLANG_ARGS = "${@bb.utils.contains('target', 'arm', \ + '--sysroot=${WORKDIR}/recipe-sysroot -I${WORKDIR}/recipe-sysroot/usr/include -mfloat-abi=hard', \ + '--sysroot=${WORKDIR}/recipe-sysroot -I${WORKDIR}/recipe-sysroot/usr/include', \ + d)}" + inherit systemd SYSTEMD_SERVICE:${PN} = "parsec.service" @@ -35,7 +42,7 @@ INITSCRIPT_NAME = "parsec" # The file should also be included into SRC_URI then PARSEC_CONFIG ?= "${S}/config.toml" -do_install:append () { +do_install () { # Binaries install -d -m 700 -o parsec -g parsec "${D}${libexecdir}/parsec" install -m 700 -o parsec -g parsec "${WORKDIR}/build/target/${CARGO_TARGET_SUBDIR}/parsec" ${D}${libexecdir}/parsec/parsec @@ -44,9 +51,6 @@ do_install:append () { install -d -m 700 -o parsec -g parsec "${D}${sysconfdir}/parsec" install -m 400 -o parsec -g parsec "${PARSEC_CONFIG}" ${D}${sysconfdir}/parsec/config.toml - # Data dir - install -d -m 700 -o parsec -g parsec "${D}${localstatedir}/lib/parsec" - if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then install -d ${D}${systemd_unitdir}/system install -m 644 ${S}/systemd-daemon/parsec.service ${D}${systemd_unitdir}/system @@ -58,6 +62,8 @@ do_install:append () { if ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', 'true', 'false', d)}; then install -d ${D}${sysconfdir}/init.d install -m 755 ${WORKDIR}/parsec_init ${D}${sysconfdir}/init.d/parsec + # Data dir + install -d -m 700 -o parsec -g parsec "${D}${localstatedir}/lib/parsec" fi } @@ -65,12 +71,12 @@ inherit useradd USERADD_PACKAGES = "${PN}" USERADD_PARAM:${PN} = "-r -g parsec -s /bin/false -d ${localstatedir}/lib/parsec parsec" GROUPADD_PARAM:${PN} = "-r parsec" +GROUPMEMS_PARAM:${PN} = "${@bb.utils.contains('PACKAGECONFIG_CONFARGS', 'tpm-provider', '-a parsec -g tss', '', d)}" FILES:${PN} += " \ ${sysconfdir}/parsec/config.toml \ ${libexecdir}/parsec/parsec \ ${systemd_unitdir}/system/parsec.service \ - ${localstatedir}/lib/parsec \ ${libdir}/tmpfiles.d/parsec-tmpfiles.conf \ ${sysconfdir}/init.d/parsec \ " |