tcg-storage: add TCG Opal storage security testing workflow

Add TCG (Trusted Computing Group) Opal SED (Self-Encrypting Drive)
testing workflow for validating storage security features. This workflow
enables testing of hardware-based full disk encryption capabilities
found in modern NVMe and SATA drives.

Key features:
- TCG Opal 2.0+ compliance testing for self-encrypting drives
- Support for drive provisioning, locking, and unlocking operations
- Integration with sedutil-cli for drive management
- Configurable encryption parameters (Admin1 password, locking ranges)
- Multi-filesystem support (XFS, Btrfs, ext4) on encrypted drives
- A/B testing support for baseline vs development comparisons
- Device capability detection and validation

The workflow validates critical storage security operations:
- Initial drive provisioning with Owner credentials
- Locking range configuration and management
- Power cycle testing to verify encryption persistence
- Performance impact measurement of encryption
- Compatibility testing across different drive models

Defconfigs:
- tcg-storage: Standard TCG Opal testing configuration
  Note that Qemu lacks TCG Opal support, however if work is
  put in place for that, this can be used to test it.

The real practical use would instead be to use the new declared hosts
feature which enables us to test on bare metal, skipping bringup, you
can use something like this:

make defconfig-tcg-storage-declared-hosts DECLARE_HOSTS=foo TCG_DEVICE=/dev/nvme4n1

Workflow integration follows kdevops patterns:
  make defconfig-tcg-storage
  make bringup
  make tcg-storage      # Run TCG Opal tests
  make tcg-results      # View test results

This enables systematic testing of hardware-based encryption features
critical for data-at-rest protection in enterprise and security-sensitive
environments.

Generated-by: Claude AI
Signed-off-by: Luis Chamberlain <[email protected]>

Author: mcgrof

defconfigs/tcg-storage

@@ -0,0 +1,27 @@
+# TCG Storage testing configuration
+CONFIG_LIBVIRT=y
+CONFIG_LIBVIRT_DYNAMIC=y
+CONFIG_LIBVIRT_HOST_PREFIX="tcg"
+CONFIG_LIBVIRT_MEM_START=4096
+CONFIG_LIBVIRT_MEM_END=4096
+CONFIG_LIBVIRT_VCPUS_START=4
+CONFIG_LIBVIRT_VCPUS_END=4
+
+# Workflow selection
+CONFIG_WORKFLOWS=y
+CONFIG_WORKFLOWS_TESTS=y
+CONFIG_WORKFLOWS_LINUX_TESTS=y
+CONFIG_WORKFLOWS_DEDICATED_WORKFLOW=y
+CONFIG_KDEVOPS_WORKFLOW_DEDICATE_TCG_STORAGE=y
+CONFIG_KDEVOPS_WORKFLOW_ENABLE_TCG_STORAGE=y
+
+# TCG Storage specific options
+CONFIG_TCG_STORAGE_RUN_UNIT_TESTS=y
+# For virtual testing with NVMe
+CONFIG_TCG_STORAGE_TEST_DEVICE="/dev/nvme0n1"
+CONFIG_TCG_STORAGE_TEST_DEVICE_TYPE="nvme"
+
+# Storage options for test VM - use NVMe
+CONFIG_LIBVIRT_EXTRA_STORAGE_DRIVE_COUNT=1
+CONFIG_LIBVIRT_EXTRA_STORAGE_DRIVE_NVME=y
+CONFIG_LIBVIRT_EXTRA_STORAGE_DRIVE_SIZE=10240

defconfigs/tcg-storage-declared-hosts

@@ -0,0 +1,39 @@
+#
+# TCG Storage testing with declared hosts (bare metal or pre-existing infrastructure)
+#
+# Usage:
+#   make defconfig-tcg-storage-declared-hosts DECLARE_HOSTS=foo TCG_DEVICE=/dev/nvme0n1
+#   make
+#   make tcg-storage
+#
+CONFIG_WORKFLOWS=y
+CONFIG_WORKFLOWS_TESTS=y
+CONFIG_WORKFLOWS_LINUX_TESTS=y
+CONFIG_WORKFLOWS_DEDICATED_WORKFLOW=y
+CONFIG_KDEVOPS_WORKFLOW_DEDICATE_TCG_STORAGE=y
+CONFIG_KDEVOPS_WORKFLOW_ENABLE_TCG_STORAGE=y
+
+# Skip bringup for declared hosts - we're using existing systems
+CONFIG_SKIP_BRINGUP=y
+CONFIG_KDEVOPS_USE_DECLARED_HOSTS=y
+
+# TCG Storage testing options
+CONFIG_TCG_STORAGE_GITHUB_URL="https://github.com/open-source-firmware/go-tcg-storage"
+CONFIG_TCG_STORAGE_BRANCH="main"
+
+# Device configuration - will be overridden by TCG_DEVICE variable
+CONFIG_TCG_STORAGE_TEST_DEVICE="/dev/nvme0n1"
+CONFIG_TCG_STORAGE_TEST_DEVICE_TYPE="nvme"
+CONFIG_TCG_STORAGE_TEST_PASSWORD="testpassword123"
+
+# Enable both unit and integration tests for real hardware
+CONFIG_TCG_STORAGE_RUN_UNIT_TESTS=y
+CONFIG_TCG_STORAGE_RUN_INTEGRATION_TESTS=y
+
+# Enable all TCG test types for real hardware
+CONFIG_TCG_STORAGE_TEST_TAKE_OWNERSHIP=y
+CONFIG_TCG_STORAGE_TEST_LOCKING_RANGES=y
+# Be careful with revert on real hardware
+CONFIG_TCG_STORAGE_TEST_REVERT=n
+
+CONFIG_TCG_STORAGE_RESULTS_DIR="workflows/tcg-storage/results"

kconfigs/workflows/Kconfig

@@ -248,6 +248,15 @@ config KDEVOPS_WORKFLOW_DEDICATE_BUILD_LINUX
 	  This will dedicate your configuration to running only the
 	  build-linux workflow for repeated Linux kernel builds.
 
+config KDEVOPS_WORKFLOW_DEDICATE_TCG_STORAGE
+	bool "tcg-storage"
+	depends on !KDEVOPS_USE_DECLARED_HOSTS
+	select KDEVOPS_WORKFLOW_ENABLE_TCG_STORAGE
+	help
+	  This will dedicate your configuration to running only the
+	  TCG storage workflow for testing TCG/OPAL functionality on
+	  self-encrypting drives.
+
 endchoice
 
 config KDEVOPS_WORKFLOW_NAME
@@ -267,6 +276,7 @@ config KDEVOPS_WORKFLOW_NAME
 	default "ai" if KDEVOPS_WORKFLOW_DEDICATE_AI
 	default "minio" if KDEVOPS_WORKFLOW_DEDICATE_MINIO
 	default "build-linux" if KDEVOPS_WORKFLOW_DEDICATE_BUILD_LINUX
+	default "tcg-storage" if KDEVOPS_WORKFLOW_DEDICATE_TCG_STORAGE
 
 endif
 
@@ -395,6 +405,16 @@ config KDEVOPS_WORKFLOW_NOT_DEDICATED_ENABLE_AI
 	  Select this option if you want to provision AI benchmarks on a
 	  single target node for by-hand testing.
 
+config KDEVOPS_WORKFLOW_NOT_DEDICATED_ENABLE_TCG_STORAGE
+	bool "tcg-storage"
+	depends on !KDEVOPS_USE_DECLARED_HOSTS
+	select KDEVOPS_WORKFLOW_ENABLE_TCG_STORAGE
+	depends on LIBVIRT || TERRAFORM_PRIVATE_NET
+	help
+	  Select this option if you want to provision TCG storage testing on a
+	  single target node for testing TCG/OPAL functionality on
+	  self-encrypting drives.
+
 endif # !WORKFLOWS_DEDICATED_WORKFLOW
 
 config KDEVOPS_WORKFLOW_ENABLE_FSTESTS
@@ -552,6 +572,17 @@ source "workflows/build-linux/Kconfig"
 endmenu
 endif # KDEVOPS_WORKFLOW_ENABLE_BUILD_LINUX
 
+config KDEVOPS_WORKFLOW_ENABLE_TCG_STORAGE
+	bool
+	output yaml
+	default y if KDEVOPS_WORKFLOW_NOT_DEDICATED_ENABLE_TCG_STORAGE || KDEVOPS_WORKFLOW_DEDICATE_TCG_STORAGE
+
+if KDEVOPS_WORKFLOW_ENABLE_TCG_STORAGE
+menu "Configure and run TCG storage tests"
+source "workflows/tcg-storage/Kconfig"
+endmenu
+endif # KDEVOPS_WORKFLOW_ENABLE_TCG_STORAGE
+
 config KDEVOPS_WORKFLOW_ENABLE_SSD_STEADY_STATE
        bool "Attain SSD steady state prior to tests"
        output yaml

playbooks/roles/ansible_cfg/defaults/main.yml

@@ -1,4 +1,7 @@
 ---
+ansible_cfg_file: "{{ topdir_path | default(playbook_dir | dirname) }}/ansible.cfg"
+topdir_path: "{{ playbook_dir | dirname }}"
+ansible_cfg_inventory: "{{ topdir_path | default(playbook_dir | dirname) }}/hosts"
 ansible_cfg_deprecation_warnings: true
 ansible_cfg_callback_plugin_string: dense
 ansible_cfg_callback_plugin_check_mode_markers: false

playbooks/roles/gen_hosts/defaults/main.yml

@@ -1,5 +1,6 @@
 # SPDX-License-Identifier GPL-2.0+
 ---
+ansible_cfg_inventory: "{{ topdir_path | default(playbook_dir | dirname) }}/hosts"
 topdir_path: "/dev/null"
 
 hosts_type_generic: true
@@ -30,6 +31,8 @@ kdevops_workflow_enable_sysbench: false
 kdevops_workflow_enable_fio_tests: false
 kdevops_workflow_enable_mmtests: false
 kdevops_workflow_enable_ai: false
+kdevops_workflow_enable_minio: false
+kdevops_workflow_enable_tcg_storage: false
 workflows_reboot_limit: false
 kdevops_use_declared_hosts: false
 

playbooks/roles/gen_hosts/tasks/main.yml

@@ -270,6 +270,21 @@
     - ansible_hosts_template.stat.exists
     - not kdevops_use_declared_hosts|default(false)|bool
 
+- name: Generate the Ansible hosts file for a dedicated TCG Storage setup
+  tags: ['hosts']
+  ansible.builtin.template:
+    src: "{{ kdevops_hosts_template }}"
+    dest: "{{ ansible_cfg_inventory }}"
+    force: true
+    trim_blocks: True
+    lstrip_blocks: True
+    mode: '0644'
+  when:
+    - kdevops_workflows_dedicated_workflow
+    - kdevops_workflow_enable_tcg_storage|default(false)|bool
+    - ansible_hosts_template.stat.exists
+    - not kdevops_use_declared_hosts|default(false)|bool
+
 - name: Verify if final host file exists
   ansible.builtin.stat:
     path: "{{ ansible_cfg_inventory }}"

playbooks/roles/gen_hosts/templates/workflows/tcg-storage.j2

@@ -0,0 +1,38 @@
+{#
+TCG Storage workflow hosts template
+
+This template generates the Ansible hosts file for the TCG Storage testing workflow.
+It supports both single node and baseline/dev (A/B testing) configurations.
+#}
+[all]
+localhost ansible_connection=local
+{{ kdevops_host_prefix }}-tcg-storage
+{% if kdevops_baseline_and_dev %}
+{{ kdevops_host_prefix }}-tcg-storage-dev
+{% endif %}
+
+[all:vars]
+ansible_python_interpreter = "{{ kdevops_python_interpreter }}"
+
+[baseline]
+{{ kdevops_host_prefix }}-tcg-storage
+
+[baseline:vars]
+ansible_python_interpreter = "{{ kdevops_python_interpreter }}"
+
+{% if kdevops_baseline_and_dev %}
+[dev]
+{{ kdevops_host_prefix }}-tcg-storage-dev
+
+[dev:vars]
+ansible_python_interpreter = "{{ kdevops_python_interpreter }}"
+
+{% endif %}
+[tcg-storage]
+{{ kdevops_host_prefix }}-tcg-storage
+{% if kdevops_baseline_and_dev %}
+{{ kdevops_host_prefix }}-tcg-storage-dev
+{% endif %}
+
+[tcg-storage:vars]
+ansible_python_interpreter = "{{ kdevops_python_interpreter }}"

playbooks/roles/gen_nodes/defaults/main.yml

@@ -13,6 +13,8 @@ kdevops_workflow_enable_selftests: false
 kdevops_workflow_enable_mmtests: false
 kdevops_workflow_enable_fio_tests: false
 kdevops_workflow_enable_ai: false
+kdevops_workflow_enable_minio: false
+kdevops_workflow_enable_tcg_storage: false
 kdevops_nfsd_enable: false
 kdevops_smbd_enable: false
 kdevops_krb5_enable: false

playbooks/roles/gen_nodes/tasks/main.yml

@@ -906,6 +906,41 @@
     - kdevops_baseline_and_dev
     - not minio_enable_multifs_testing|default(false)|bool
 
+# TCG Storage nodes
+- name: Generate the TCG Storage kdevops nodes file using {{ kdevops_nodes_template }} as jinja2 source template
+  tags: ['hosts']
+  vars:
+    node_template: "{{ kdevops_nodes_template | basename }}"
+    nodes: "{{ [kdevops_host_prefix + '-tcg-storage'] }}"
+    all_generic_nodes: "{{ [kdevops_host_prefix + '-tcg-storage'] }}"
+  ansible.builtin.template:
+    src: "{{ node_template }}"
+    dest: "{{ topdir_path }}/{{ kdevops_nodes }}"
+    force: true
+    mode: '0644'
+  when:
+    - kdevops_workflows_dedicated_workflow
+    - kdevops_workflow_enable_tcg_storage|default(false)|bool
+    - ansible_nodes_template.stat.exists
+    - not kdevops_baseline_and_dev
+
+- name: Generate the TCG Storage kdevops nodes file with dev hosts using {{ kdevops_nodes_template }} as jinja2 source template
+  tags: ['hosts']
+  vars:
+    node_template: "{{ kdevops_nodes_template | basename }}"
+    nodes: "{{ [kdevops_host_prefix + '-tcg-storage', kdevops_host_prefix + '-tcg-storage-dev'] }}"
+    all_generic_nodes: "{{ [kdevops_host_prefix + '-tcg-storage', kdevops_host_prefix + '-tcg-storage-dev'] }}"
+  ansible.builtin.template:
+    src: "{{ node_template }}"
+    dest: "{{ topdir_path }}/{{ kdevops_nodes }}"
+    force: true
+    mode: '0644'
+  when:
+    - kdevops_workflows_dedicated_workflow
+    - kdevops_workflow_enable_tcg_storage|default(false)|bool
+    - ansible_nodes_template.stat.exists
+    - kdevops_baseline_and_dev
+
 # Build-linux workflow nodes
 
 # Multi-filesystem Build-linux configurations

playbooks/roles/guestfs/defaults/main.yml

@@ -1,6 +1,9 @@
 ---
 distro_debian_based: false
+virtbuilder_os_version: "debian-13-generic-amd64-daily"
 
 libvirt_uri_system: false
 libvirt_enable_largeio: false
 bootlinux_9p: false
+kdevops_workflow_enable_minio: false
+kdevops_workflow_enable_tcg_storage: false