Project

General

Profile

action #115919

[security] test fails in tpm2_measured_boot

Added by punkioudi 3 months ago. Updated 26 days ago.

Status:
Blocked
Priority:
Normal
Assignee:
Category:
Bugs in existing tests
Target version:
-
Start date:
2022-08-29
Due date:
% Done:

50%

Estimated time:
Difficulty:
Tags:

Description

ls: cannot access '/sys/kernel/security/tpm0/binary_bios_measurements': No such file or directory
It fails only in aarch64 and passes fine in x86_64, so either it is a product bug, either the path has changed for aarch64? (which doesn't make much sense :P )

Acceptance Criteria

  1. Identify if it is a product bug
  2. If it is a bug, open a bugzilla ticket under SUSE Linux Enterprise Server 15 SP5
  3. If it is a test issue, adjust the test accordingly and run Verification runs.

Observation

openQA test in scenario sle-15-SP5-Online-aarch64-security_tpm2_swtpm@aarch64 fails in
tpm2_measured_boot

Test suite description

The base test suite is used for job templates defined in YAML documents. It has no settings of its own.

Reproducible

Fails since (at least) Build 15.2 (current job)

Expected result

Last good: (unknown) (or more recent)

Further details

Always latest result in this scenario: latest

History

#1 Updated by pstivanin 3 months ago

  • Status changed from New to In Progress
  • Assignee set to pstivanin

#2 Updated by pstivanin 3 months ago

It fails also on 15-SP3 and 15-SP4 for aarch64. Looking into it.

#3 Updated by pstivanin 3 months ago

That's weird. I've downloaded the qcow2 (https://openqa.suse.de/tests/9411670#settings) and booted it using the aarch64 emulator. I then went through the setup phase (https://openqa.suse.de/tests/9411670/modules/tpm2_env_setup/steps/1/src) and the test phase (https://openqa.suse.de/tests/9411671/modules/tpm2_measured_boot/steps/1/src), and I'm getting a diff in the latter.
When executing ls /sys/kernel/security/tpm0/binary_bios_measurements, on openqa we get:

ls: cannot access '/sys/kernel/security/tpm0/binary_bios_measurements': No such file or directory

while locally I get:

/sys/kernel/security/tpm0/binary_bios_measurements

#4 Updated by pstivanin 3 months ago

There are no packages diff between the old green 151.1 (https://openqa.suse.de/tests/8752505#step/tpm2_env_setup/30) and the new red (https://openqa.suse.de/tests/9412083#step/tpm2_env_setup/3) tests.

#5 Updated by pstivanin 3 months ago

I've used the developer mode to look around the vm, and I couldn't see any notable difference compared to my local setup. E.g., /proc/cmdline and /proc/cpuinfo were identical.

One diff I see compared to my local emulated vm is from dmesg. On the openqa vm I see:

tpm tpm0: A TPM error (256) occurred attempting the self test

#6 Updated by pstivanin 3 months ago

I've created a vm in the arm4 hypervisor, imported the qcow2 from the test and executed it.

# ls /sys/kernel/security/tpm0/
binary_bios_measurements

Everything is OK and works as supposed. I'm now thinking that there is some kind of misconfiguration in openqa somewhere.

#7 Updated by pstivanin 3 months ago

The measurement file is not created because in openqa the selftest fails.

[   17.094738] tpm tpm0: A TPM error (256) occurred attempting the self test
[   17.100985] tpm tpm0: starting up the TPM manually

This is not happening anywhere else, just in openqa. Wonder why...

#8 Updated by pstivanin 3 months ago

Test is working fine on both Leap-aarch64 (https://openqa.opensuse.org/tests/2585650) and TW-aarch64 (https://openqa.opensuse.org/tests/2567304) ...

#9 Updated by pstivanin 3 months ago

These are the packages diff between 151.1 and today:

today:
openssl3/libopenssl3/libopenssl-3-devel -> 3.0.1-150400.4.7.1
libpcre16/libpcrecpp0/libpcreposix0/pcre-devel -> 0-8.45-150000.20.13.1
glibc-devel-2.31-150300.37.1
libmount-devel/libblkid-devel -> 2.37.2-150400.8.3.1
libcurl-devel -> 7.79.1-150400.5.6.1
zlib-devel -> 1.2.11-150000.3.33.1


151.1:
openssl3/libopenssl3/libopenssl-3-devel -> 3.0.1-150400.2.4
libpcre16/libpcrecpp0/libpcreposix0/pcre-devel -> 0-8.45-20.10.1
glibc-devel -> 2.31-150300.20.7
libmount-devel/libblkid-devel -> 2.37.2-150400.6.26
libcurl-devel -> 7.79.1-150400.3.1
zlib-devel -> 1.2.11-150000.3.30.1

#10 Updated by pstivanin 3 months ago

It's not a regression, because Build15.2 is using the same packages as Leap, and on Leap the test is green.
The jobgroups are the same, the code is the same.

#11 Updated by pstivanin 3 months ago

So I was to get the installed packages on both osd-arm3 and o3-aarch64, and they have the same exact packages installed. Same package and build version.

#12 Updated by pstivanin 3 months ago

found the culprit thanks to Fabian!

qemu-uefi-aarch64 differs on OSD and O3:

  • o3: 202008-150300.10.15.1
  • osd: 202008-10.8.1

That's because someone locked those packages:

# salt 'openqaworker-arm-3.suse.de' cmd.run 'zypper ll'
openqaworker-arm-3.suse.de:

    # | Name              | Type    | Repository | Comment
    --+-------------------+---------+------------+--------
    1 | qemu-ovmf-x86_64  | package | (any)      | 
    2 | qemu-uefi-aarch64 | package | (any)      |

#14 Updated by pstivanin 3 months ago

  • Status changed from In Progress to Blocked
  • % Done changed from 0 to 50

Blocked until the locks can be removed and the packages can be updated.

#16 Updated by pstivanin about 1 month ago

Ticket still blocked due to the above issue(s).

Also available in: Atom PDF