So the tricky part with this test is getting a TPM. Our worker hosts don't all have TPM, so I don't think we can use passthrough. We will have to use swtpm instead, but the tricky thing there is we need to run a copy of swtpm on the worker host before qemu is launched.

I can think of various ways to do this but none are entirely straightforward.

One way: we could write an instantiated systemd service that runs an swtpm. Then we either just set up our ansible plays to enable one instance of that service per openQA worker, or we invent a new worker class, and only have the ansible plays launch one instance of the service per worker of that class, or something.

Another way: we patch this into os-autoinst, so that when a magic variable is set, it launches an swtpm instance before running qemu, and kills it after the job completes. This is more or less what libvirt does, FWIW.

If no-one else decides to work on this, I'll start looking at those options tomorrow.

So I am looking into this, but it's a bit held up on the infra move as we don't have the staging instance to test on and everything keeps falling over. I think I'm gravitating to the 'instantiated services' solution ATM.

So I'm getting somewhere with this now. I have a proof-of-concept live on production (yes, Dos Equis man is back!), and it passed. I have the relevant ansible changes drafted but didn't commit them yet, I just hand edited stuff on the instance. I have sent a PR for the necessary os-autoinst changes, will see where that goes next week.

OK, this is done now. Wiki reporting also hooked up.