[next] Support virtualized TPM attachments to qemu VMS, plus refactor.#346
Draft
amstewart wants to merge 4 commits into
Draft
[next] Support virtualized TPM attachments to qemu VMS, plus refactor.#346amstewart wants to merge 4 commits into
amstewart wants to merge 4 commits into
Conversation
added 4 commits
March 18, 2026 11:59
QEMU throws an error when executing the start script like ... ``` qemu-system-x86_64: -drive if=pflash,format=raw,readonly,file=./OVMF/OVMF_CODE.fd: warning: short-form boolean option 'readonly' deprecated Please use readonly=on instead ``` Use the new option syntax to satisfy the warning. Signed-off-by: Alex Stewart <alex.stewart@emerson.com>
Using the swtpm package, linux users can emulate a TPM device - which is useful when testing Secure Boot and NI Device Encryption workflows locally. Add a `-t` option to the QEMU start script that creates and attaches a software TPM to the VM. Signed-off-by: Alex Stewart <alex.stewart@emerson.com>
The build.vms.sh pipeline script and associated vm-resources are somewhat difficult to comprehend and also use a statically built OVMF UEFI BIOS. In order to support TPM-based secure-boot/measured-boot testing, we should use the OVMF output from OE. While we're here, refactor the build.vms tooling to use a Makefile in a directory called `qemu`, which is hopefully a little easier to maintain. Signed-off-by: Alex Stewart <alex.stewart@emerson.com>
Docker issues two warnings with the current Dockerfile. 1. Warns that the PYREX_IMAGE arg can have a blank value, resulting in an invalid Dockerfile. This is mostly fine, but change to let it use `pyrex-base` as a default, so that docker will stop complaining. 2. Warns that 'FROM' and 'as' on line 2 use different casing. So make them both uppercase. Signed-off-by: Alex Stewart <alex.stewart@emerson.com>
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changes
-t). When asserted, the script will create, initialize, and attach a virtualized TPM2.0 device to the VM using theswtpmdistro package on the host machine.build.vms.shbash script, use a Makefile - where the logic is easeier to parse.ovmfrecipe in OE-core to build the UEFI firmware, instead of using a static copy from somewhere.AB#3752806
Testing
Process
Suggested Reviewers: