diff --git a/.github/workflows/jumpstarter-pr-push-and-scheduled.yaml b/.github/workflows/jumpstarter-pr-push-and-scheduled.yaml index 749dec9..b884fa6 100644 --- a/.github/workflows/jumpstarter-pr-push-and-scheduled.yaml +++ b/.github/workflows/jumpstarter-pr-push-and-scheduled.yaml @@ -43,7 +43,7 @@ jobs: runs-on: [self-hosted, linux, jumpstarter-rpi4] defaults: run: - working-directory: ./fedora-rawhide + working-directory: ./fedora-40 steps: - name: Checkout uses: actions/checkout@v4 diff --git a/fedora-40/Makefile b/fedora-40/Makefile new file mode 100644 index 0000000..2cd4396 --- /dev/null +++ b/fedora-40/Makefile @@ -0,0 +1,78 @@ +DEVICE=rpi4-00 + +############################################################################### +# Targets that interact with the DUT via Jumpstarter +############################################################################### + +test-in-hardware: umount images/latest.raw images/.prepared + sudo -E jumpstarter run-script test-tpm-on-latest-raw.yaml + +write-image: umount images/latest.raw images/.prepared + sudo -E jumpstarter run-script setup-latest-raw.yaml + +power-on: + jumpstarter power on -a $(DEVICE) + +console: + jumpstarter console $(DEVICE) + +power-off: + jumpstarter detach-storage $(DEVICE) + jumpstarter power off $(DEVICE) + +############################################################################### +# Image preparation targets +############################################################################### + +download-image: + scripts/download-latest-fedora + +prepare-image: images/latest.raw mount + scripts/prepare-latest-raw + touch images/.prepared + umount mnt + +images/.prepared: + make prepare-image + +images/latest.raw.xz: + make download-image + +images/latest.raw: images/latest.raw.xz + xz -d -v -T0 -k $^ + touch images/latest.raw + rm -f images/.prepared + +clean-image: + rm -f images/.prepared + rm -f images/latest.raw + +clean-images: clean-image + rm -rf images/dl.fedoraproject.org + rm -rf images/latest.raw.xz + +############################################################################### +# Image manipulation targets +############################################################################### + +mnt: + mkdir -p $@ + +umount: + umount mnt || true + +mount: umount images/latest.raw mnt + guestmount -a images/latest.raw -m /dev/fedora/root -m /dev/sda2:/boot -m /dev/sda1:/boot/efi -o allow_other --rw mnt + + +############################################################################### +# phony targets are targets which don't produce files, just for utility +############################################################################### + + +.PHONY: download-image prepare-image +.PHONY: test-in-hardware +.PHONY: write-image +.PHONY: power-on power-off +.PHONY: console +.PHONY: mount umount diff --git a/fedora-40/images/.gitkeep b/fedora-40/images/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/fedora-40/scripts/download-latest-fedora b/fedora-40/scripts/download-latest-fedora new file mode 100755 index 0000000..d239e82 --- /dev/null +++ b/fedora-40/scripts/download-latest-fedora @@ -0,0 +1,20 @@ +#!/bin/bash +set -e +IMG_PATH=dl.fedoraproject.org/pub/fedora/linux/releases/40/Server/aarch64/images/ +CACHE="./images" +wget "https://${IMG_PATH}" -np -m -A '*raw.xz' -c -P "${CACHE}" +# use the latest compose image +LATEST_IMG=$(ls -Art "${CACHE}/${IMG_PATH}"/*.raw.xz | tail -n 1) + +echo "Latest image: ${LATEST_IMG}" + +# calculate full path to LATEST_IMG +LATEST_IMG_FULLPATH=$(readlink -f ${LATEST_IMG}) +EXISTING_LINK=$(readlink "${CACHE}/latest.raw.xz" || true ) +# if the link has changed, update the link +if [[ "${LATEST_IMG_FULLPATH}" != "${EXISTING_LINK}" ]]; then + echo "Updating link from latest.raw.xz -> ${LATEST_IMG}" + ln -fs "${LATEST_IMG_FULLPATH}" "${CACHE}/latest.raw.xz" +else + echo "We are up-to-date." +fi diff --git a/fedora-40/scripts/prepare-latest-raw b/fedora-40/scripts/prepare-latest-raw new file mode 100755 index 0000000..b1c186f --- /dev/null +++ b/fedora-40/scripts/prepare-latest-raw @@ -0,0 +1,15 @@ +#!/bin/sh +set -x + +sudo sed -i 's/rhgb quiet/rhgb console=ttyS0,115200/g' mnt/boot/loader/entries/* mnt/etc/default/grub mnt/etc/kernel/cmdline +# assign changeme password to root +sudo sed -i 's%root:!locked::0:99999:7:::%root:$y$j9T$Sw1lg2a7i/0vWoufwxYsSzAk$RrdQ6C4bUsOE3uy0mErsbOA7LOF4x2R8zP5XW6jpA1/::0:99999:7:::%g' mnt/etc/shadow +#sudo rm -f mnt/etc/systemd/system/*/initial-setup.service +#sudo rm -f mnt/etc/systemd/system/*/smartd.service +# enable SPI and the TPM we use in the dtbs +cat << EOF | sudo tee -a mnt/boot/efi/config.txt +dtparam=spi=on +dtoverlay=tpm-slb9670 +EOF +sudo rm -f mnt/etc/.pwd.lock + diff --git a/fedora-40/setup-latest-raw.yaml b/fedora-40/setup-latest-raw.yaml new file mode 100644 index 0000000..2ca42b3 --- /dev/null +++ b/fedora-40/setup-latest-raw.yaml @@ -0,0 +1,9 @@ +name: "Setup latest.raw in DUT disk" +selector: + - rpi4 + +steps: + - power: "off" + - set-disk-image: + image: "images/latest.raw" + - storage: "attach" diff --git a/fedora-40/test-tpm-on-latest-raw.yaml b/fedora-40/test-tpm-on-latest-raw.yaml new file mode 100644 index 0000000..1544579 --- /dev/null +++ b/fedora-40/test-tpm-on-latest-raw.yaml @@ -0,0 +1,93 @@ +name: "Setup latest.raw in DUT disk" +selector: + - rpi4 + +expect-timeout: 100 + +steps: + - power: "off" + - set-disk-image: + image: "images/latest.raw" + - storage: "attach" + - power: "on" + - expect: + this: "Booting" + + - expect: + this: "Please make a selection from the above" + + - send: + this: + - "4\n" + - expect: + this: "Password:" + + - send: + this: + - "changeme\n" + - "changeme\n" + - "yes\n" + echo: false + + - expect: + this: "Please make a selection from the above" + + - send: + this: + - "c\n" + + - expect: + this: "login: " + + - send: + this: + - "root\n" + echo: false + + - expect: + this: "Password:" + + - send: + this: + - "changeme\n" + + - expect: + this: "#" + + - send: + this: + - "dnf install -y tpm2-tools tpm2-pkcs11 tpm2-tss tpm2-tss-devel tpm2-tss-engine tpm2-tss-engine-utilities\n" + + - expect: + this: "Complete!" + timeout: 500 + + - comment: "Verifying TPM interactions via tpm2 tools" + - send: + this: + - "tpm2_createprimary -C e -c primary.ctx\n" + - "tpm2_create -G rsa -u key.pub -r key.priv -C primary.ctx\n" + - "tpm2_load -C primary.ctx -u key.pub -r key.priv -c key.ctx\n" + - "echo my message > message.dat\n" + - "tpm2_sign -c key.ctx -g sha256 -o sig.rssa message.dat\n" + - "tpm2_verifysignature -c key.ctx -g sha256 -s sig.rssa -m message.dat\n" + - "echo result: $?\n" + + - expect: + this: "value: fixedtpm|fixedparent|sensitivedataorigin|userwithauth|restricted|decrypt" + - expect: + this: "fixedtpm|fixedparent|sensitivedataorigin|userwithauth|decrypt|sign" + - expect: + this: "name: " + - expect: + this: "result: 0" + - expect: + this: "# " + +cleanup: + - send: + this: + - "poweroff\n" + - pause: 20 + - power: "off" + diff --git a/fedora-rawhide/scripts/prepare-latest-raw b/fedora-rawhide/scripts/prepare-latest-raw index 08ac052..b1c186f 100755 --- a/fedora-rawhide/scripts/prepare-latest-raw +++ b/fedora-rawhide/scripts/prepare-latest-raw @@ -5,7 +5,7 @@ sudo sed -i 's/rhgb quiet/rhgb console=ttyS0,115200/g' mnt/boot/loader/entries/* # assign changeme password to root sudo sed -i 's%root:!locked::0:99999:7:::%root:$y$j9T$Sw1lg2a7i/0vWoufwxYsSzAk$RrdQ6C4bUsOE3uy0mErsbOA7LOF4x2R8zP5XW6jpA1/::0:99999:7:::%g' mnt/etc/shadow #sudo rm -f mnt/etc/systemd/system/*/initial-setup.service -sudo rm -f mnt/etc/systemd/system/*/smartd.service +#sudo rm -f mnt/etc/systemd/system/*/smartd.service # enable SPI and the TPM we use in the dtbs cat << EOF | sudo tee -a mnt/boot/efi/config.txt dtparam=spi=on