Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / 2dc428095db12457baa21f1016ed32e016dab5b1^! / . / metropolis / test / swtpm / README.md
commit2dc428095db12457baa21f1016ed32e016dab5b1[log] [tgz]
authorSerge Bazanski <serge@monogon.tech>Tue Jun 04 14:30:19 2024 +0000
committerSerge Bazanski <serge@monogon.tech>Tue Jun 11 17:01:21 2024 +0000
tree64099a44141eb5d5909accafd14925fadc53a9ce
parent72c1f2b4fde0477c9e1d02803fe8c5ffef116f42 [diff] [blame]
m/test/swptm/certtool: init

This implements a minimal GnuTLS certtool replacement. It will be used
by swtpm_setup and friends when generating an emulated TPM certificate.

Change-Id: I7635ccdc50459fec9287ea790488e110c6ce3094
Reviewed-on: https://review.monogon.dev/c/monogon/+/3128
Tested-by: Jenkins CI
Reviewed-by: Lorenz Brun <lorenz@monogon.tech>

diff --git a/metropolis/test/swtpm/README.md b/metropolis/test/swtpm/README.md
new file mode 100644
index 0000000..e00892e
--- /dev/null
+++ b/metropolis/test/swtpm/README.md

@@ -0,0 +1,32 @@
+swtpm enhancements
+==================
+
+Metropolis uses [swtpm](https://github.com/stefanberger/swtpm) for emulating a
+TPM device when running tests in qemu, eg. end-to-end-tests.
+
+swtpm consists of a runtime emulator (`swtpm`) which runs against a state
+directory and exposes TPM functionality over the socket; and of tooling
+designed to create said state directory (`swtpm_setup`, `swtpm_localca`, etc).
+
+Getting the former to be built with Bazel is generally trivial, as it mostly
+depends on libraries we are already building (glib, openssl/boringssll, etc).
+However, the tooling is another story: it depends heavily on GnuTLS, both as a
+library to link against and as a runtime tool (`certtool`). We already have one
+C implementation of cryptographic primitives in `//third_party` (boringssl),
+dragging another one in would be shameful.
+
+The tooling is also not a single C binary, but a handful of different ones that
+call eachother based on the requested functionality (presumably as a way to
+implement modularity to allow creating swtpm secrets using a HSM, etc).
+
+This subdirectory contains bits and pieces that allow us to use the
+aforementioned tooling without depending on GnuTLS. This is done by patching
+some tools to rip out GnuTLS support, and by replacing other with native Go
+reimplementations.
+
+certtool
+--------
+
+This is a minimal GnuTLS certtool reimplementation in Go. It's used by `swtpm_localca` to generate TLS certificates. An
+alternative to this would be to rewrite `swtpm_localca` entirely to Go, but that seems like a bit too much effort for
+now.
\ No newline at end of file