commit b07c57a3d0d7bc3d63e86e0b50c2ed4f5c6e5af6
author Serge Bazanski <serge@monogon.tech> Tue Jun 04 14:33:27 2024 +0000
committer Serge Bazanski <serge@monogon.tech> Tue Jun 11 17:01:21 2024 +0000
tree a189e5d724ab5f83cc0e6d237b8cb4bc1fcf1be2
parent 551a8199dab7faaa0bfb2c082c7f55a0940df247

metropolis: use swtpm from monorepo

Change-Id: I6da94c7eaa31930d120955a17661152fc284f4a0
Reviewed-on: https://review.monogon.dev/c/monogon/+/3130
Reviewed-by: Lorenz Brun <lorenz@monogon.tech>
Tested-by: Jenkins CI

metropolis/node/BUILD.bazel

diff --git a/metropolis/node/BUILD.bazel b/metropolis/node/BUILD.bazel
index b056dc3..17ae73c 100644
--- a/metropolis/node/BUILD.bazel
+++ b/metropolis/node/BUILD.bazel
@@ -141,10 +141,17 @@
     cmd = """
     mkdir -p tpm/ca
 
+
     cat <<EOF > tpm/swtpm.conf
-create_certs_tool= /usr/share/swtpm/swtpm-localca
+create_certs_tool= $(location @swtpm//:swtpm_localca)
 create_certs_tool_config = tpm/swtpm-localca.conf
-create_certs_tool_options = /etc/swtpm-localca.options
+create_certs_tool_options = tpm/swtpm-localca.options
+EOF
+
+    cat <<EOF > tpm/swtpm-localca.options
+--platform-manufacturer Monogon
+--platform-version 23.42
+--platform-model SWTPM
 EOF
 
     cat <<EOF > tpm/swtpm-localca.conf
@@ -154,7 +161,10 @@
 certserial = tpm/ca/certserial
 EOF
 
-    swtpm_setup \
+    export PATH="$$(dirname $(location //metropolis/test/swtpm/certtool)):$$PATH"
+    export PATH="$$(dirname $(location //metropolis/test/swtpm/swtpm_cert)):$$PATH"
+    $(location @swtpm//:swtpm_setup) \
+        --tpm "$(location @swtpm//:swtpm) socket" \
         --tpmstate tpm \
         --create-ek-cert \
         --create-platform-cert \
@@ -168,6 +178,13 @@
     cp tpm/ca/issuercert.pem $(location tpm/issuercert.pem)
     cp tpm/ca/signkey.pem $(location tpm/signkey.pem)
     """,
+    tools = [
+        "//metropolis/test/swtpm/certtool",
+        "//metropolis/test/swtpm/swtpm_cert",
+        "@swtpm",
+        "@swtpm//:swtpm_localca",
+        "@swtpm//:swtpm_setup",
+    ],
     visibility = [
         "//metropolis/cli/metroctl/test:__subpackages__",
         "//metropolis/test/e2e:__subpackages__",

metropolis/test/launch/cluster/BUILD.bazel

diff --git a/metropolis/test/launch/cluster/BUILD.bazel b/metropolis/test/launch/cluster/BUILD.bazel
index 2685e2c..89f7a7a 100644
--- a/metropolis/test/launch/cluster/BUILD.bazel
+++ b/metropolis/test/launch/cluster/BUILD.bazel
@@ -15,6 +15,7 @@
         "//metropolis/test/nanoswitch:initramfs",
         "//third_party/edk2:firmware",
         "@com_github_bonzini_qboot//:qboot-bin",
+        "@swtpm",
     ],
     importpath = "source.monogon.dev/metropolis/test/launch/cluster",
     visibility = ["//visibility:public"],

metropolis/test/launch/cluster/cluster.go

diff --git a/metropolis/test/launch/cluster/cluster.go b/metropolis/test/launch/cluster/cluster.go
index e7a49a2..4c678a1 100644
--- a/metropolis/test/launch/cluster/cluster.go
+++ b/metropolis/test/launch/cluster/cluster.go
@@ -326,10 +326,18 @@
 	}
 
 	// Start TPM emulator as a subprocess
+	swtpm, err := runfiles.Rlocation("swtpm/swtpm")
+	if err != nil {
+		return fmt.Errorf("could not find swtpm: %w", err)
+	}
+
 	tpmCtx, tpmCancel := context.WithCancel(options.Runtime.ctxT)
 
 	tpmd := filepath.Join(r.ld, "tpm")
-	tpmEmuCmd := exec.CommandContext(tpmCtx, "swtpm", "socket", "--tpm2", "--tpmstate", "dir="+tpmd, "--ctrl", "type=unixio,path="+tpmSocketPath)
+	tpmEmuCmd := exec.CommandContext(tpmCtx, swtpm, "socket", "--tpm2", "--tpmstate", "dir="+tpmd, "--ctrl", "type=unixio,path="+tpmSocketPath)
+	// Silence warnings from unsafe libtpms build (uses non-constant-time
+	// cryptographic operations).
+	tpmEmuCmd.Env = append(tpmEmuCmd.Env, "MONOGON_LIBTPMS_ACKNOWLEDGE_UNSAFE=yes")
 	tpmEmuCmd.Stderr = os.Stderr
 	tpmEmuCmd.Stdout = os.Stdout