Distro has openSSL 3.0.7, no need to compile own openSSL 3.x.
Signed-off-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Add a build job, prerequisite of the existing job, to compile the UML
kernel and upload it and the signing key to a cache. Github configuration
should have two variables: LINUX_URL, the full URL of the kernel
repository; LINUX_BRANCH, the branch to check out as fallback if the kernel
repository does not have the same branch name as the one being pushed for
ima-evm-utils. See:
https://docs.github.com/en/actions/learn-github-actions/variables
for directions on how to define those variables.
If the two variables are not defined, the default values are:
LINUX_URL=https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git
LINUX_BRANCH=next-integrity
If there is a cache hit (same kernel commit and same kernel configuration),
next time the UML kernel will not be rebuilt. To use the cache, it is
necessary to install zstd in the container. Add this dependency to
ci/fedora.sh.
The cache can be managed at the following URL:
https://github.com/<username>/ima-evm-utils/actions/caches
The page also offers the possibility to clean the cache, to force
rebuilding the kernel.
Add a new entry in the testing matrix, for the fedora-latest container
image, to run the tests with the UML kernel. The entry differs from the
others for the new environment variable TST_ENV, set to 'um', and
TST_KERNEL set to '../linux', as the tests will be executed from the
tests/ directory in ima-evm-utils.
Add a new volume to the container, /dev/shm from the host, as it is
required for running the UML kernel.
Extend the existing job with steps to download the UML kernel and signing
key from the cache. The new steps are executed only if the matrix entry has
TST_ENV set.
Finally, pass TST_ENV and TST_KERNEL to the tests. A test should also
propagate these variables to the new environment, by passing them to the
kernel command line.
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
This does not make fsverity.test working on GA CI, though.
- `--device /dev/loop-control' is required for losetup(8) to work.
- `--privileged' is required foo mount(8) to work, and this makes
`--security-opt seccomp=unconfined' redundant.
- GA container does not have `/sys/kernel/security' mounted which is
needed for `/sys/kernel/security/integrity/ima/policy'.
- Enable `set -x` in CI as the logs is everything we have to analyze on
failures.
Update: with these changes and the UML kernel support, the fsverity.test
is working properly.
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
[zohar@linux.ibm.com: updated patch description]
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Fix COMPILE_SSL to build for the proper architecture, link with the
appropriate library, and set up library path for evmctl.
Compile OpenSSL with "no-engine" and "no-dynamic-engine" support.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
With the distros shipping OpenSSL 3 with engine support, the original
purpose for compiling OpenSSL 3 to test sm2/sm3 is no longer necessary
and could be removed. Or, it could be re-purposed for building OpenSSL
without engine support, which is needed for testing.
For both travis and github actions, update openssl-3.0.0-beta1 with
openssl-3.0.5.
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Ubuntu 21.10 impish EOL in 2022-04 (next month).
Replace it with the latest stable release (EOL 2027-04).
Signed-off-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
It EOL in 12/2021 and CI is failing due removed repo:
CentOS Linux 8 - AppStream 232 B/s | 38 B 00:00
Error: Failed to download metadata for repo 'appstream': Cannot prepare internal mirrorlist: No URLs in mirrorlist
Removing only from GitHub Actions, because Mimi Zohar reported Travis
can use centos:stream8.
Signed-off-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Both opensuse/tumbleweed and Alt Linux have upgraded to glibc-2.34,
causing the CI testing to fail. Disable seccomp (which is not needed
anyway, since GA uses throwable virtual environments anyway).
options: --security-opt seccomp=unconfined
Suggested-by: Vitaly Chikunov <vt@altlinux.org>
Acked-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Keep in sync with the kernel IMA, IMA signature tool supports SM2/3
algorithm combination. Because in the current version of OpenSSL 1.1.1,
the SM2 algorithm and the public key using the EC algorithm share the
same ID 'EVP_PKEY_EC', and the specific algorithm can only be
distinguished by the curve name used. This patch supports this feature.
Secondly, the openssl 1.1.1 tool does not fully support the signature
of SM2/3 algorithm combination, so the openssl3 tool is used in the
test case, and there is no this problem with directly calling the
openssl 1.1.1 API in evmctl.
Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
[zohar@linux.ibm.com: "COMPILE_SSL: " -> "COMPILE_SSL=" in .travis.yml
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Build on Sisyphus branch which is bleeding edge repository.
Package manager is apt-rpm (not APT as it may look from the scripts).
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Do not need to waste CPU cycles and time to install swtpm in CI
container if distribution does not have tssstartup, because we will
be not able to start it.
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Travis is unreliable due "pull rate limit" issue, workaround does not
work any more. Also GitHub Actions is a recommended way for projects
hosted on GitHub.
Nice bonus is that manual podman activation for distros using glibc >=
2.33 (e.g. openSUSE Tumbleweed, Fedora) it's not needed in GitHub.
Signed-off-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
