Keep in sync with the kernel IMA, IMA signature tool supports SM2/3
algorithm combination. Because in the current version of OpenSSL 1.1.1,
the SM2 algorithm and the public key using the EC algorithm share the
same ID 'EVP_PKEY_EC', and the specific algorithm can only be
distinguished by the curve name used. This patch supports this feature.
Secondly, the openssl 1.1.1 tool does not fully support the signature
of SM2/3 algorithm combination, so the openssl3 tool is used in the
test case, and there is no this problem with directly calling the
openssl 1.1.1 API in evmctl.
Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
[zohar@linux.ibm.com: "COMPILE_SSL: " -> "COMPILE_SSL=" in .travis.yml
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Build on Sisyphus branch which is bleeding edge repository.
Package manager is apt-rpm (not APT as it may look from the scripts).
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Do not need to waste CPU cycles and time to install swtpm in CI
container if distribution does not have tssstartup, because we will
be not able to start it.
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
This is a preparation for adding GitHub Actions support.
Also run from root directory. It's a bit confusing to run from
travis directory.
Signed-off-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
openSUSE Tumbleweed build fails due broken permission detection due
faccessat2() incompatibility in libseccomp/runc used in old docker with
old kernel on Ubuntu Focal on hosts in Travis CI together with guests
with the newest glibc 2.33.
Fixing Tumbleweed required switch to podman and downloading newest runc
release (v1.0.0-rc93) which contains the fix [1], because proposed glibc
fix [2] aren't going to merged to upstream [3] nor to Tumbleweed
downstream glibc [4].
Sooner or later it will be required for more distros (Fedora, Debian
Ubuntu), but don't waste build time until required.
[1] https://github.com/opencontainers/runc/pull/2750
[2] https://sourceware.org/pipermail/libc-alpha/2020-November/119955.html
[3] https://sourceware.org/pipermail/libc-alpha/2020-November/119978.html
[4] https://bugzilla.opensuse.org/1182451
Signed-off-by: Petr Vorel <pvorel@suse.cz>
[zohar@linux.ibm.com: actually remove sudo, as per Changelog]
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Eoan is failing:
E: The repository 'http://security.ubuntu.com/ubuntu eoan-security Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
And 20.04 LTS focal in Travis is still fails on debconf issue
("debconf: unable to initialize frontend: Dialog")
Old 16.04 LTS xenial is still supported and working in Travis,
thus move to new groovy gives us good coverage both old and new releases.
Signed-off-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
The "boot_aggregate.test" requires either a hardware or software TPM.
Support using the swtpm, if packaged for the distro, in addition to
tpm_server.
Note: Some travis/<distro>.sh scripts are links to other scripts.
Don't fail the build of the linked script if the swtpm package doesn't
exist.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Acked-by: Bruno Meneguele <bmeneg@redhat.com>
This requires to have distro specific install scripts and build.sh
script.
For now ibmswtpm2 is compiled just for native builds (depends on gcc,
compiled natively). libtmps/swtpm could be used.
Signed-off-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Bruno Meneguele <bmeneg@redhat.com>(Fedora,CentOS 8(RHEL actually))
[zohar@linux.ibm.com: removed debugging in travis/fedora.sh]
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Running the "boot_aggregate" test without a physical TPM, requires
installing and initializing a software TPM. For now, use the same
method of initializing the TPM, based on the IBM tss, for both the
IBM and Intel's tss.
Build both the IBM and INTEL's tss.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Verifying the "boot_aggregate" requires reading the TPM PCRs for each of
the TPM banks. In test environments without a physical TPM, a software
TPM may be used, but requires initializing the TPM PCRs. By walking and
replaying the TPM event log, a software TPM may be properly initialized.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Verifying the "boot_aggregate" requires reading the TPM PCRs for each of
the TPM banks. In test environments without a physical TPM, a software
TPM may be used.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
