Project

General

Profile

action #100512

[Tumbleweed][security][backlog] security_swtpm_uefi is not multi-arch

Added by ggardet_arm 10 months ago. Updated about 2 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Enhancement to existing tests
Target version:
-
Start date:
2021-10-07
Due date:
% Done:

100%

Estimated time:
16.00 h
Difficulty:

Description

Observation

openQA test in scenario opensuse-Tumbleweed-DVD-aarch64-security_swtpm_uefi@aarch64 fails in
swtpm_verify

security_swtpm_uefi is not multi-arch yet and supports x86 only atm.
You can see the failure on aarch64 here: https://openqa.opensuse.org/tests/1955722/modules/swtpm_verify/steps/12
swtpm/swtpm_aarch64_uefi.xml variant of swtpm/swtpm_uefi.xml should be created and used.

Test suite description

Reproducible

Fails since (at least) Build 20210929

Expected result

Last good: (unknown) (or more recent)

Further details

Always latest result in this scenario: latest


Related issues

Related to openQA Tests - action #113063: [Tumbleweed][security][backlog] Move swtpm aarch64 tests to production job groupResolved2022-06-27

History

#1 Updated by maritawerner 10 months ago

  • Subject changed from security_swtpm_uefi is not multi-arch to [security] security_swtpm_uefi is not multi-arch

#2 Updated by llzhao 10 months ago

  • Subject changed from [security] security_swtpm_uefi is not multi-arch to [Tumbleweed][security] security_swtpm_uefi is not multi-arch
  • Category changed from Bugs in existing tests to Enhancement to existing tests
  • Assignee set to rfan1
  • Estimated time set to 16.00 h

#3 Updated by llzhao 10 months ago

  • Assignee changed from rfan1 to shawnhao

#4 Updated by rfan1 10 months ago

llzhao shawnhao

As I know, nested virtualization is not supported yet on the platforms other than x86_64. but I need double confirm. we can move this job to dev group at first.

Investigating....

#5 Updated by ggardet_arm 10 months ago

This is already in dev group: https://openqa.opensuse.org/tests/1962934#step/swtpm_verify/14
And I confirm there is no nested virt on aarch64 for now.

#6 Updated by shawnhao 10 months ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100

Closed this poo since security_swtpm_uefi supports only x86 for now.

#7 Updated by ggardet_arm 10 months ago

  • Status changed from Resolved to New

shawnhao wrote:

Closed this poo since security_swtpm_uefi supports only x86 for now.

Reopen.
The purpose of this ticket is to make it compatible with aarch64, so closing it with 'x86 only for now' does not seem right.
Are there any limitations making it really incompatible with aarch64?

#8 Updated by rfan1 10 months ago

ggardet_arm wrote:

shawnhao wrote:

Closed this poo since security_swtpm_uefi supports only x86 for now.

Reopen.
The purpose of this ticket is to make it compatible with aarch64, so closing it with 'x86 only for now' does not seem right.
Are there any limitations making it really incompatible with aarch64?

We are carrying out this tests with nested virtualization on x86_64 platform, however, on aarch64, we may not support nested virtualization for now, correct?

please correct me if I am wrong, then we can implement the tests on aarch64 as well.

#9 Updated by ggardet_arm 10 months ago

Sorry, but I do not understand why nested virt is mandatory. We can run qemu inside qemu, without kvm. It is already done for openqa_bootstrap test.

#10 Updated by rfan1 10 months ago

Thanks,
Qemu in qemu without kvm should have very low performance, can you please help point me the test link? I will try to test it manually at first.

The reason why I used virt is that: this new feature as SLES15SP3 should support libvirt as well. so I tested the x86_64 with libvirt with qemu+kvm emulator.

BR//Richard.

#13 Updated by rfan1 10 months ago

12118

I have trouble to boot up my L2 vm on my local aarch64 setup.

#/usr/bin/qemu-system-aarch64 \
-m 2048 \
-machine virt,usb=off,gic-version=2,its=off \
-netdev user,id=qanet0,hostfwd=tcp::2222-:22 \
-device virtio-net,netdev=qanet0,mac=52:54:00:12:34:57 \
-boot menu=on,splash-time=5000 \
-smp 2 \
-vnc :92 \
-device virtio-scsi-pci,id=scsi0 \
-blockdev driver=file,node-name=hd0-overlay0-file,filename=opensuse-Tumbleweed-aarch64-20211028-textmode@aarch64.qcow2,cache.no-flush=on \
-blockdev driver=qcow2,node-name=hd0-overlay0,file=hd0-overlay0-file,cache.no-flush=on \
-device virtio-blk-device,id=hd0-device,drive=hd0-overlay0,serial=hd0 \
-drive id=pflash-code-overlay0,if=pflash,file=/home/aavmf-aarch64-code.bin,readonly=on \
-drive id=pflash-vars-overlay0,if=pflash,file=/home/aavmf-aarch64-vars.bin,unit=1,format=raw \
-serial stdio

I failed to boot up my VM and qemu seemed hang there.

BTW, do we have any ipmi setup to run the swtpm tests? it will not need nested virtualization then.

#14 Updated by llzhao 3 months ago

  • Subject changed from [Tumbleweed][security] security_swtpm_uefi is not multi-arch to [Tumbleweed][security][backlog] security_swtpm_uefi is not multi-arch

#15 Updated by shawnhao 2 months ago

  • Assignee changed from shawnhao to StarryWang

#16 Updated by StarryWang 2 months ago

  • Status changed from New to In Progress
  • % Done changed from 100 to 0

I'll try to add swtpm/swtpm_aarch64_uefi.xml and add aarch64 support for this test case.

#17 Updated by StarryWang 2 months ago

  • Status changed from In Progress to Rejected

The aarch64 platform does not support nested virtualization, so this ticket will be rejected.
https://openqa.opensuse.org/tests/2416048#step/swtpm_verify/12

#18 Updated by ggardet_arm 2 months ago

I see 2 possibilities to workaround this:

  1. Use non-kvm virtualization
  2. Use the Raspberry Pi 4 target

#19 Updated by StarryWang 2 months ago

StarryWang wrote:

The aarch64 platform does not support nested virtualization, so this ticket will be rejected.
https://openqa.opensuse.org/tests/2416048#step/swtpm_verify/12

Hi, thanks for your reminder,
Just discussed with rfan1, we can not use non-kvm virtualization since swtpm requires it.
So can you help to provide some docs about how to run it on RPI4? thanks.

#20 Updated by StarryWang 2 months ago

  • Status changed from Rejected to In Progress

#21 Updated by ggardet_arm 2 months ago

Here is an example of test on the Raspberry Pi 4 with vagrant: https://openqa.opensuse.org/tests/2415755
You can have a look at schedule/vagrant.yaml for the 1st steps needed to boot and prepare the RPi 4, before running the tests for TPM.

Also, pevik_ (Petr Vorel) reached out to me on IRC yesterday, for tests using LetsTrust TPM module. See: https://en.opensuse.org/HCL:Raspberry_Pi3_TPM
So, I plugged this TPM module in the Raspberry Pi 4 used on o3 (WORKER_CLASS=generalhw_RPi4_TPM).

#22 Updated by StarryWang 2 months ago

  • % Done changed from 0 to 50

I've updated the test code to add JeOS support for this test case,
and now these tests are passed in the Dev group.
https://openqa.opensuse.org/tests/2420013#
https://openqa.opensuse.org/tests/2420014#

I'll submit a PR when these tests are stable in Dev group.

#23 Updated by StarryWang about 2 months ago

  • % Done changed from 50 to 60

The flavor of create_swtpm_hdd_aarch is DVD, and the flavor of security_swtpm_jeos is JeOS-for-RPi-aarch64,
I can not add START_AFTER_TEST dependencies between these two tests since they use different flavors,
and I also can not set the flavor of create_swtpm_hdd_aarch to JeOS-for-RPi-aarch64 since it needs to start after create_hdd_textmode@aarch64.
So I updated the test code in swtpm_env_setup.pm to check the status of create_swtpm_hdd_aarch by using openQA API.

Here is the test result after I changed the test code:
create_swtpm_hdd_aarch: https://openqa.opensuse.org/tests/2432209#
security_swtpm_jeos: https://openqa.opensuse.org/tests/2432404#

#24 Updated by StarryWang about 2 months ago

  • Status changed from In Progress to Workable
  • % Done changed from 60 to 80

#25 Updated by StarryWang about 2 months ago

bchou suggests I rename the new test name to security_swtpm_jeos_rpi4.
And I renamed the yaml schedule file name to swtpm_jeos_rpi4.yaml.
Here is the VR after rename the test suite: https://openqa.opensuse.org/tests/2433943#

#26 Updated by StarryWang about 2 months ago

  • Status changed from Workable to Feedback
  • % Done changed from 80 to 100

PR Merged.

#27 Updated by StarryWang about 2 months ago

  • Related to action #113063: [Tumbleweed][security][backlog] Move swtpm aarch64 tests to production job group added

#28 Updated by StarryWang about 2 months ago

  • Status changed from Feedback to Resolved

Test passed successfully in development job group:
create_swtpm_hdd_aarch: https://openqa.opensuse.org/tests/2436019
security_swtpm_jeos_rpi4: https://openqa.opensuse.org/tests/2435932

Also available in: Atom PDF