Skip to content

Comments

Spiffe and tpm#1771

Draft
brianmcgillion wants to merge 2 commits intotiiuae:mainfrom
brianmcgillion:spiffe-and-tpm
Draft

Spiffe and tpm#1771
brianmcgillion wants to merge 2 commits intotiiuae:mainfrom
brianmcgillion:spiffe-and-tpm

Conversation

@brianmcgillion
Copy link
Collaborator

@brianmcgillion brianmcgillion commented Feb 19, 2026

Description of Changes

Type of Change

  • New Feature
  • Bug Fix
  • Improvement / Refactor

Related Issues / Tickets

Checklist

  • Clear summary in PR description
  • Detailed and meaningful commit message(s)
  • Commits are logically organized and squashed if appropriate
  • Contribution guidelines followed
  • Ghaf documentation updated with the commit - https://tiiuae.github.io/ghaf/
  • Author has run make-checks and it passes
  • All automatic GitHub Action checks pass - see actions
  • Author has added reviewers and removed PR draft status

Testing Instructions

Applicable Targets

  • Orin AGX aarch64
  • Orin NX aarch64
  • Lenovo X1 x86_64
  • Dell Latitude x86_64
  • System 76 x86_64

Installation Method

  • Requires full re-installation
  • Can be updated with nixos-rebuild ... switch
  • Other:

Test Steps To Verify:

  1. ...

@everton-dematos @brianmcgillion
spiffe: Enable spire and spiffe protocol
0c9dde0 
Enable the protocol for intervm server/agent configuration

Co-authored-by: Ganga Ram <Ganga.Ram@tii.ae>
Co-authored-by: shamma-alblooshi1 <shamma.alblooshi@tii.ae>
Co-authored-by: Brian McGillion <bmg.avoin@gmail.com>

Signed-off-by: Brian McGillion <bmg.avoin@gmail.com>
@brianmcgillion brianmcgillion marked this pull request as draft February 19, 2026 23:59
@brianmcgillion
tpm: Retrieve the CA EK certs at build
94d362f 
retrieve the EK certs at build time and create a list of possible
devices. Then link these into the spiffe workflow, so that we can
validate and verify the TPM for enrollment as an attestor.

Signed-off-by: Brian McGillion <bmg.avoin@gmail.com>
@milva-unikie
Copy link

milva-unikie commented Feb 20, 2026

All tests are failing in jenkins-pre-merge because net-vm does not boot. Example logs from Darter Pro.

 	Output: × microvm@net-vm.service - MicroVM 'net-vm'
     Loaded: loaded (/etc/systemd/system/microvm@.service; enabled; preset: ignored)
    Drop-In: /nix/store/y6hivyfwvr7ba5pbvpfi6r7bc880jw9p-system-units/microvm@net-vm.service.d
             └─overrides.conf
     Active: failed (Result: exit-code) since Fri 2026-02-20 07:14:44 UTC; 51s ago
   Duration: 1.118s
 Invocation: 79184d63c9ca44fd9bef53a621ec2f93
    Process: 3147 ExecStartPre=/nix/store/riknx3la3y8gs633j6hrj6ih7bryng72-unit-script-microvm_-pre-start/bin/microvm_-pre-start (code=exited, status=0/SUCCESS)
    Process: 3160 ExecStart=/var/lib/microvms/net-vm/current/bin/microvm-run (code=exited, status=1/FAILURE)
    Process: 3263 ExecStopPost=/nix/store/h2la1fi073xlb7rxj0jbpljhrwhfsmp2-unit-script-microvm_-post-stop/bin/microvm_-post-stop (code=exited, status=0/SUCCESS)
   Main PID: 3160 (code=exited, status=1/FAILURE)
         IP: 0B in, 0B out
         IO: 110.6M read, 0B written
   Mem peak: 70.3M
        CPU: 228ms

Feb 20 07:14:43 ghaf-host systemd[1]: Starting MicroVM 'net-vm'...
Feb 20 07:14:43 ghaf-host systemd[1]: Started MicroVM 'net-vm'.
Feb 20 07:14:44 ghaf-host microvm@net-vm[3160]: microvm@net-vm: -drive id=vdb,format=raw,file=/persist/storagevm/givc/net-vm.img,if=none,aio=io_uring,discard=unmap,cache=none,read-only=on: Could not open '/persist/storagevm/givc/net-vm.img': No such file or directory
Feb 20 07:14:44 ghaf-host systemd[1]: microvm@net-vm.service: Main process exited, code=exited, status=1/FAILURE
Feb 20 07:14:44 ghaf-host systemd[1]: microvm@net-vm.service: Failed with result 'exit-code'.
Feb 20 07:14:44 ghaf-host systemd[1]: microvm@net-vm.service: Consumed 228ms CPU time, 70.3M memory peak, 110.6M read from disk.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@brianmcgillion @milva-unikie @everton-dematos