Support virtualized TPM attachments to qemu VMS, plus refactor.#335
Draft
amstewart wants to merge 3 commits intoni:nilrt/master/scarthgapfrom
Draft
Support virtualized TPM attachments to qemu VMS, plus refactor.#335amstewart wants to merge 3 commits intoni:nilrt/master/scarthgapfrom
amstewart wants to merge 3 commits intoni:nilrt/master/scarthgapfrom
Conversation
added 3 commits
January 12, 2026 15:25
QEMU throws an error when executing the start script like ... ``` qemu-system-x86_64: -drive if=pflash,format=raw,readonly,file=./OVMF/OVMF_CODE.fd: warning: short-form boolean option 'readonly' deprecated Please use readonly=on instead ``` Use the new option syntax to satisfy the warning. Signed-off-by: Alex Stewart <alex.stewart@emerson.com>
Using the swtpm package, linux users can emulate a TPM device - which is useful when testing Secure Boot and NI Device Encryption workflows locally. Add a `-t` option to the QEMU start script that creates and attaches a software TPM to the VM. Signed-off-by: Alex Stewart <alex.stewart@emerson.com>
The build.vms.sh pipeline script and associated vm-resources are somewhat difficult to comprehend and also use a statically built OVMF UEFI BIOS. In order to support TPM-based secure-boot/measured-boot testing, we should use the OVMF output from OE. While we're here, refactor the build.vms tooling to use a Makefile in a directory called `qemu`, which is hopefully a little easier to maintain. Signed-off-by: Alex Stewart <alex.stewart@emerson.com>
Contributor
Author
|
This PR will break the AZDO build pipeline after it gets merged, because the VM artifacts will be created in a different location - though they are otherwise the same. I'll put in a change to the component Makefiles to account for this. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changes
-t). When asserted, the script will create, initialize, and attach a virtualized TPM2.0 device to the VM using theswtpmdistro package on the host machine.build.vms.shbash script, use a Makefile - where the logic is easeier to parse.ovmfrecipe in OE-core to build the UEFI firmware, instead of using a static copy from somewhere.Testing
Process
next/ref.Suggested Reviewers: