Distro has openSSL 3.0.7, no need to compile own openSSL 3.x.
Signed-off-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Fix COMPILE_SSL to build for the proper architecture, link with the
appropriate library, and set up library path for evmctl.
Compile OpenSSL with "no-engine" and "no-dynamic-engine" support.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
With the distros shipping OpenSSL 3 with engine support, the original
purpose for compiling OpenSSL 3 to test sm2/sm3 is no longer necessary
and could be removed. Or, it could be re-purposed for building OpenSSL
without engine support, which is needed for testing.
For both travis and github actions, update openssl-3.0.0-beta1 with
openssl-3.0.5.
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Although Github Actions is available on Github Enterprise Server 3.x
single server edition, as well as the unpaid version, it is not
available in Github Enterprise Server 3.x cluster edition[1].
Continue updating travis.yml.
[1] https://docs.github.com/en/enterprise-server@3.0/admin/release-notes#github-packages
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Ubuntu 21.10 impish EOL in 2022-04 (next month).
Replace it with the latest stable release (EOL 2027-04).
Signed-off-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Replace CentOS 8 with CentOS stream 8.
Use podman for both CentOS 7 & 8.
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Instead of returning an image, it prompts for a response. Hardcode
to use docker.io.
Please select an image:
▸ docker.io/library/alt:sisyphus
quay.io/alt:sisyphus
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
As expected, for the same reasons as commit 6287cb76d186 ("travis: Fix
openSUSE Tumbleweed"), replace using docker with podman, but now use
crun.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Keep in sync with the kernel IMA, IMA signature tool supports SM2/3
algorithm combination. Because in the current version of OpenSSL 1.1.1,
the SM2 algorithm and the public key using the EC algorithm share the
same ID 'EVP_PKEY_EC', and the specific algorithm can only be
distinguished by the curve name used. This patch supports this feature.
Secondly, the openssl 1.1.1 tool does not fully support the signature
of SM2/3 algorithm combination, so the openssl3 tool is used in the
test case, and there is no this problem with directly calling the
openssl 1.1.1 API in evmctl.
Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
[zohar@linux.ibm.com: "COMPILE_SSL: " -> "COMPILE_SSL=" in .travis.yml
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Build on Sisyphus branch which is bleeding edge repository.
Package manager is apt-rpm (not APT as it may look from the scripts).
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Do not need to waste CPU cycles and time to install swtpm in CI
container if distribution does not have tssstartup, because we will
be not able to start it.
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
This is a preparation for adding GitHub Actions support.
Also run from root directory. It's a bit confusing to run from
travis directory.
Signed-off-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
openSUSE Tumbleweed build fails due broken permission detection due
faccessat2() incompatibility in libseccomp/runc used in old docker with
old kernel on Ubuntu Focal on hosts in Travis CI together with guests
with the newest glibc 2.33.
Fixing Tumbleweed required switch to podman and downloading newest runc
release (v1.0.0-rc93) which contains the fix [1], because proposed glibc
fix [2] aren't going to merged to upstream [3] nor to Tumbleweed
downstream glibc [4].
Sooner or later it will be required for more distros (Fedora, Debian
Ubuntu), but don't waste build time until required.
[1] https://github.com/opencontainers/runc/pull/2750
[2] https://sourceware.org/pipermail/libc-alpha/2020-November/119955.html
[3] https://sourceware.org/pipermail/libc-alpha/2020-November/119978.html
[4] https://bugzilla.opensuse.org/1182451
Signed-off-by: Petr Vorel <pvorel@suse.cz>
[zohar@linux.ibm.com: actually remove sudo, as per Changelog]
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Eoan is failing:
E: The repository 'http://security.ubuntu.com/ubuntu eoan-security Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
And 20.04 LTS focal in Travis is still fails on debconf issue
("debconf: unable to initialize frontend: Dialog")
Old 16.04 LTS xenial is still supported and working in Travis,
thus move to new groovy gives us good coverage both old and new releases.
Signed-off-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
The "boot_aggregate.test" requires either a hardware or software TPM.
Support using the swtpm, if packaged for the distro, in addition to
tpm_server.
Note: Some travis/<distro>.sh scripts are links to other scripts.
Don't fail the build of the linked script if the swtpm package doesn't
exist.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Acked-by: Bruno Meneguele <bmeneg@redhat.com>
This requires to have distro specific install scripts and build.sh
script.
For now ibmswtpm2 is compiled just for native builds (depends on gcc,
compiled natively). libtmps/swtpm could be used.
Signed-off-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Bruno Meneguele <bmeneg@redhat.com>(Fedora,CentOS 8(RHEL actually))
[zohar@linux.ibm.com: removed debugging in travis/fedora.sh]
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Running the "boot_aggregate" test without a physical TPM, requires
installing and initializing a software TPM. For now, use the same
method of initializing the TPM, based on the IBM tss, for both the
IBM and Intel's tss.
Build both the IBM and INTEL's tss.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Verifying the "boot_aggregate" requires reading the TPM PCRs for each of
the TPM banks. In test environments without a physical TPM, a software
TPM may be used, but requires initializing the TPM PCRs. By walking and
replaying the TPM event log, a software TPM may be properly initialized.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Verifying the "boot_aggregate" requires reading the TPM PCRs for each of
the TPM banks. In test environments without a physical TPM, a software
TPM may be used.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
