Support virtualized TPM attachments to qemu VMS, plus refactor.#336
Draft
amstewart wants to merge 4 commits intoni:nilrt/master/scarthgapfrom
Draft
Support virtualized TPM attachments to qemu VMS, plus refactor.#336amstewart wants to merge 4 commits intoni:nilrt/master/scarthgapfrom
amstewart wants to merge 4 commits intoni:nilrt/master/scarthgapfrom
Conversation
added 4 commits
March 2, 2026 15:53
QEMU throws an error when executing the start script like ... ``` qemu-system-x86_64: -drive if=pflash,format=raw,readonly,file=./OVMF/OVMF_CODE.fd: warning: short-form boolean option 'readonly' deprecated Please use readonly=on instead ``` Use the new option syntax to satisfy the warning. Signed-off-by: Alex Stewart <alex.stewart@emerson.com> (cherry picked from commit 20c513a) Signed-off-by: Alex Stewart <alex.stewart@emerson.com>
Using the swtpm package, linux users can emulate a TPM device - which is useful when testing Secure Boot and NI Device Encryption workflows locally. Add a `-t` option to the QEMU start script that creates and attaches a software TPM to the VM. Signed-off-by: Alex Stewart <alex.stewart@emerson.com> (cherry picked from commit e38c6f2) Signed-off-by: Alex Stewart <alex.stewart@emerson.com>
The build.vms.sh pipeline script and associated vm-resources are somewhat difficult to comprehend and also use a statically built OVMF UEFI BIOS. In order to support TPM-based secure-boot/measured-boot testing, we should use the OVMF output from OE. While we're here, refactor the build.vms tooling to use a Makefile in a directory called `qemu`, which is hopefully a little easier to maintain. Signed-off-by: Alex Stewart <alex.stewart@emerson.com> (cherry picked from commit d8f2efc) Signed-off-by: Alex Stewart <alex.stewart@emerson.com>
Docker issues two warnings with the current Dockerfile. 1. Warns that the PYREX_IMAGE arg can have a blank value, resulting in an invalid Dockerfile. This is mostly fine, but change to let it use `pyrex-base` as a default, so that docker will stop complaining. 2. Warns that 'FROM' and 'as' on line 2 use different casing. So make them both uppercase. Signed-off-by: Alex Stewart <alex.stewart@emerson.com> (cherry picked from commit 0f6e0cc) Signed-off-by: Alex Stewart <alex.stewart@emerson.com>
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changes
-t). When asserted, the script will create, initialize, and attach a virtualized TPM2.0 device to the VM using theswtpmdistro package on the host machine.build.vms.shbash script, use a Makefile - where the logic is easeier to parse.ovmfrecipe in OE-core to build the UEFI firmware, instead of using a static copy from somewhere.Testing
Process
next/ref.Suggested Reviewers: