Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable TPM emulation #23

Merged
merged 6 commits into from
Feb 25, 2022
Merged

Enable TPM emulation #23

merged 6 commits into from
Feb 25, 2022

Conversation

mudler
Copy link
Contributor

@mudler mudler commented Feb 24, 2022
edited

The following commit enables TPM emulation and its configuration in the
os2 configuration file.

TPM Emulation is considered unsafe and meant only for testing purposes.

For example, to enable tpm emulation with a static seed, disabling also
smbios headers:

rancheros:
  tpm:
    emulated: true
    no_smbios: true
    seed: "5"

It also adds a specific test for config file reading via ws with tpm.

Closes: #20

Signed-off-by: Ettore Di Giacinto edigiacinto@suse.com

@mudler mudler force-pushed the emulated_tpm branch 4 times, most recently from 47ef2b2 to 6b07af4 Compare February 24, 2022 10:49
@mudler
Copy link
Contributor Author

mudler commented Feb 25, 2022

Good news is it seems to be triggered just fine with:

#cloud-config
rancheros:
    tpm:
      emulated: true
      seed: 5
    install:
        registrationURL: https://rancher.lan/v1-rancheros/registration/fpdt9q8rtq4zhzwjpp2m6c9vwvjt7l2s5kqjbbt6jpwdznh92hgdtk
        registrationCaCert: |
		-----BEGIN CERTIFICATE-----
		MIIBqDCCAU2gAwIBAgIBADAKBggqhkjOPQQDAjA7MRwwGgYDVQQKExNkeW5hbWlj
		bGlzdGVuZXItb3JnMRswGQYDVQQDExJkeW5hbWljbGlzdGVuZXItY2EwHhcNMjIw
		MjI1MTAyNjIwWhcNMzIwMjIzMTAyNjIwWjA7MRwwGgYDVQQKExNkeW5hbWljbGlz
		dGVuZXItb3JnMRswGQYDVQQDExJkeW5hbWljbGlzdGVuZXItY2EwWTATBgcqhkjO
		PQIBBggqhkjOPQMBBwNCAAQZism1pRiA3T4Iy7JaRQduzoIj3+VQ7diJR8Eat7ig
		xQjJhc/prvPuSD5ZvXJkfuul6PbfpOsAvzQkfKg0HxNNo0IwQDAOBgNVHQ8BAf8E
		BAMCAqQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU/8cdAPHMv/AY6aa/fcXs
		v7bdFo4wCgYIKoZIzj0EAwIDSQAwRgIhAO901vBbpLPVNOknrT0NIxj2jeN6G90D
		SxMto9w8zWAzAiEA38Q6b0GNOW7cAiLRwx1TxrGgNuwtvKz+G2xfnOg52Kc=
		-----END CERTIFICATE-----

although fails as ros-installer is built with CGO_ENABLED=0:

Feb 25 12:21:46 localhost ros-installer[1696]: time="2022-02-25T12:21:46Z" level=info msg="TPM Emulation enabled"
Feb 25 12:21:46 localhost ros-installer[1696]: time="2022-02-25T12:21:46Z" level=info msg="TPM Emulation Seed5"
Feb 25 12:21:46 localhost ros-installer[1696]: time="2022-02-25T12:21:46Z" level=error msg="failed to read registration URL https://rancher.lan/v1-rancheros/registration/fpdt9q8rtq4zhzwjpp2m6c9vwvjt7l2s5kqjbbt6jpwdznh92hgdtk, retrying: opening tpm for getting attestation data: startup: using the simulator requires building with CGO"
Feb 25 12:22:01 localhost ros-installer[1696]: time="2022-02-25T12:22:01Z" level=info msg="TPM Emulation enabled"
Feb 25 12:22:01 localhost ros-installer[1696]: time="2022-02-25T12:22:01Z" level=info msg="TPM Emulation Seed5"
Feb 25 12:22:01 localhost ros-installer[1696]: time="2022-02-25T12:22:01Z" level=error msg="failed to read registration URL https://rancher.lan/v1-rancheros/registration/fpdt9q8rtq4zhzwjpp2m6c9vwvjt7l2s5kqjbbt6jpwdznh92hgdtk, retrying: opening tpm for getting attestation data: startup: using the simulator requires building with CGO"

@mudler
Copy link
Contributor Author

mudler commented Feb 25, 2022

Seems tests failed just for a timeout:

            "status": {
                "conditions": [
                    {
                        "lastProbeTime": null,
                        "lastTransitionTime": "2022-02-25T14:27:19Z",
                        "status": "True",
                        "type": "Initialized"
                    },
                    {
                        "lastProbeTime": null,
                        "lastTransitionTime": "2022-02-25T14:27:19Z",
                        "message": "containers with unready status: [rancheros-operator]",
                        "reason": "ContainersNotReady",
                        "status": "False",
                        "type": "Ready"
                    },
                    {
                        "lastProbeTime": null,
                        "lastTransitionTime": "2022-02-25T14:27:19Z",
                        "message": "containers with unready status: [rancheros-operator]",
                        "reason": "ContainersNotReady",
                        "status": "False",
                        "type": "ContainersReady"
                    },
                    {
                        "lastProbeTime": null,
                        "lastTransitionTime": "2022-02-25T14:27:19Z",
                        "status": "True",
                        "type": "PodScheduled"
                    }

As the ros-operator was coming up still.

@mudler
Enable TPM emulation
6a47c2f 
The following commit enables TPM emulation and its configuration in the
os2 configuration file.

TPM Emulation is considered unsafe and meant only for testing purposes.

For example, to enable tpm emulation with a static seed, disabling also
smbios headers:
```
rancheros:
  tpm:
    emulated: true
    no_smbios: true
    seed: "5"
```

It also adds a specific test for config file reading via ws with tpm.

Closes: #20

Signed-off-by: Ettore Di Giacinto <edigiacinto@suse.com>
@mudler
Enable CGO on ros-installer builds
3327b5a 
Signed-off-by: Ettore Di Giacinto <edigiacinto@suse.com>
@mudler
Enable neednet when booting from active/passive
a15eb46 
Signed-off-by: Ettore Di Giacinto <edigiacinto@suse.com>
@mudler
Minor output fixup
4f8d016 
Signed-off-by: Ettore Di Giacinto <edigiacinto@suse.com>
@mudler
ci: run on GHA
f830f7d 
Signed-off-by: Ettore Di Giacinto <edigiacinto@suse.com>
@mudler
Add openssl-devel
d496d96 
Signed-off-by: Ettore Di Giacinto <edigiacinto@suse.com>
@mudler
Copy link
Contributor Author

mudler commented Feb 25, 2022
edited

Seems to work, as I've tested this manually. getting another unrelated issue now that @kkaempf is facing too, but that deserves its own PR. this one shouldn't be blocked:

localhost:~ # ros-installer
INFO[0000] TPM Emulation enabled                        
INFO[0000] TPM Emulation Seed '5'                       
INFO[0000] Using TPMHash 2f4faaebb65f37d803d6ef954e91f73983a53c502cb7ce1fb7daa9c5d1641213 to dial wss://rancher.lan/v1-rancheros/registration/csdkbh2c2gcmp5kx9nt2mqlfd772lnl4tfl6cf7mj4t8qfhptbwpz6 
INFO[0004] Retrieved config from registrationURL: {"install":{"device":"/dev/vda"},"rancherd":{"server":"https://rancher.lan","token":"tpm://"},"rancheros":{"install":{"automatic":true,"isoUrl":"https://github.com/rancher/os2/releases/download/v0.1.0-alpha12/rancheros-v0.1.0-alpha12-amd64.iso"}},"users":[{"name":"root","passwd":"root"}]} 
Install environment:
ELEMENTAL_CLOUD_INIT=/tmp/ros-install582744199
ELEMENTAL_ISO=https://github.com/rancher/os2/releases/download/v0.1.0-alpha12/rancheros-v0.1.0-alpha12-amd64.iso
ELEMENTAL_AUTOMATIC=true
ELEMENTAL_TARGET=/dev/sda
DEBU[2022-02-25T17:18:21Z] Loading luet config from /etc/luet/luet.yaml 
INFO[2022-02-25T17:18:21Z] Install called                               
INFO[2022-02-25T17:18:21Z] Running before-install hook                  
INFO[2022-02-25T17:18:21Z] Downloading from https://github.com/rancher/os2/releases/download/v0.1.0-alpha12/rancheros-v0.1.0-alpha12-amd64.iso to /tmp/elemental906251707/cOs.iso 
INFO[2022-02-25T17:18:23Z] Mounting iso /tmp/elemental906251707/cOs.iso into /tmp/elemental906251707/iso-mounted 
E0225 17:18:23.182684    1691 mount_linux.go:195] Mount failed: exit status 32
Mounting command: systemd-run
Mounting arguments: --description=Kubernetes transient mount for /tmp/elemental906251707/iso-mounted --scope -- mount -t loop /tmp/elemental906251707/cOs.iso /tmp/elemental906251707/iso-mounted
Output: Running scope as unit: run-r0d6156aedcaa46f1ad765c313289bf94.scope
mount: /tmp/elemental906251707/iso-mounted: unknown filesystem type 'loop'.

Error: 1 error occurred:
        * mount failed: exit status 32
Mounting command: systemd-run
Mounting arguments: --description=Kubernetes transient mount for /tmp/elemental906251707/iso-mounted --scope -- mount -t loop /tmp/elemental906251707/cOs.iso /tmp/elemental906251707/iso-mounted
Output: Running scope as unit: run-r0d6156aedcaa46f1ad765c313289bf94.scope
mount: /tmp/elemental906251707/iso-mounted: unknown filesystem type 'loop'.



FATA[0006] exit status 1

@mudler mudler marked this pull request as ready for review February 25, 2022 16:19
davidcassany
davidcassany approved these changes Feb 25, 2022
View reviewed changes
Copy link
Contributor

@davidcassany davidcassany left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, looks pretty simple :)

However I am still concerned we are forced to make use of TPM, isn't it a limitation in the world of embedded or tiny devices? Anyway that's another discussion.

@mudler
Copy link
Contributor Author

mudler commented Feb 25, 2022

Nice, looks pretty simple :)

However I am still concerned we are forced to make use of TPM, isn't it a limitation in the world of embedded or tiny devices? Anyway that's another discussion.

I fully agree here, let's leave it indeed for a follow-up discussion

@mudler mudler mentioned this pull request Feb 25, 2022
Closed
@mudler mudler merged commit 7741733 into master Feb 25, 2022
@mudler mudler deleted the emulated_tpm branch February 25, 2022 17:50
mudler pushed a commit that referenced this pull request Jun 3, 2022
Move tests to ginkgo (#23)
86d88fb
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@davidcassany davidcassany davidcassany approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

TPM emulation
2 participants
@mudler @davidcassany