| Serge Bazanski | 2dc4280 | 2024-06-04 14:30:19 +0000 | [diff] [blame^] | 1 | swtpm enhancements |
| 2 | ================== |
| 3 | |
| 4 | Metropolis uses [swtpm](https://github.com/stefanberger/swtpm) for emulating a |
| 5 | TPM device when running tests in qemu, eg. end-to-end-tests. |
| 6 | |
| 7 | swtpm consists of a runtime emulator (`swtpm`) which runs against a state |
| 8 | directory and exposes TPM functionality over the socket; and of tooling |
| 9 | designed to create said state directory (`swtpm_setup`, `swtpm_localca`, etc). |
| 10 | |
| 11 | Getting the former to be built with Bazel is generally trivial, as it mostly |
| 12 | depends on libraries we are already building (glib, openssl/boringssll, etc). |
| 13 | However, the tooling is another story: it depends heavily on GnuTLS, both as a |
| 14 | library to link against and as a runtime tool (`certtool`). We already have one |
| 15 | C implementation of cryptographic primitives in `//third_party` (boringssl), |
| 16 | dragging another one in would be shameful. |
| 17 | |
| 18 | The tooling is also not a single C binary, but a handful of different ones that |
| 19 | call eachother based on the requested functionality (presumably as a way to |
| 20 | implement modularity to allow creating swtpm secrets using a HSM, etc). |
| 21 | |
| 22 | This subdirectory contains bits and pieces that allow us to use the |
| 23 | aforementioned tooling without depending on GnuTLS. This is done by patching |
| 24 | some tools to rip out GnuTLS support, and by replacing other with native Go |
| 25 | reimplementations. |
| 26 | |
| 27 | certtool |
| 28 | -------- |
| 29 | |
| 30 | This is a minimal GnuTLS certtool reimplementation in Go. It's used by `swtpm_localca` to generate TLS certificates. An |
| 31 | alternative to this would be to rewrite `swtpm_localca` entirely to Go, but that seems like a bit too much effort for |
| 32 | now. |