Re: [PATCH ima-evm-utils v4] ima-evm-utils: Support SM2 algorithm for sign and verify

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On 7/15/21 2:39 PM, Petr Vorel wrote:
Hi Mimi, Tianjia,

Hi Tianjia,

On Wed, 2021-07-14 at 21:01 +0800, Tianjia Zhang wrote:

index 5b07711..a0001b0 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -93,4 +93,4 @@ before_install:
  script:
      - INSTALL="${DISTRO%%:*}"
      - INSTALL="${INSTALL%%/*}"
-    - $CONTAINER run $CONTAINER_ARGS -t ima-evm-utils /bin/sh -c "if
[ \"$VARIANT\" ]; then ARCH=\"$ARCH\" ./ci/$INSTALL.$VARIANT.sh; fi
&& ARCH=\"$ARCH\" CC=\"$CC\" TSS=\"$TSS\" ./ci/$INSTALL.sh && if [ !
\"$VARIANT\" ]; then which tpm_server || which swtpm ||
./tests/install-swtpm.sh; fi && CC=\"$CC\" VARIANT=\"$VARIANT\"
./build.sh"
+    - $CONTAINER run $CONTAINER_ARGS -t ima-evm-utils /bin/sh -c "if
[ \"$VARIANT\" ]; then ARCH=\"$ARCH\" ./ci/$INSTALL.$VARIANT.sh; fi
&& ARCH=\"$ARCH\" CC=\"$CC\" TSS=\"$TSS\" ./ci/$INSTALL.sh && if [ !
\"$VARIANT\" ]; then which tpm_server || which swtpm ||
./tests/install-swtpm.sh; fi && ./tests/install-openssl3.sh &&
CC=\"$CC\" VARIANT=\"$VARIANT\" ./build.sh"

With "install-openssl3.sh", installing openssl 3.0 is being done for
every distro matrix rule.  This needs to be limited to a specific
instance.  Petr, please correct if I'm wrong, I assume a new variable
needs to be defined, similar to "TSS".
+1

A similar change would need to be made in ci.yml.
+1

new file mode 100755
index 0000000..21adb6f
--- /dev/null
+++ b/tests/install-openssl3.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+set -ex
+
+# The latest version in July 2021
+wget --no-check-certificate https://github.com/openssl/openssl/archive/refs/tags/openssl-3.0.0-beta1.tar.gz
+tar --no-same-owner -xvzf openssl-3.0.0-beta1.tar.gz

Petr said,  "Although it appears there is no distro which would have
openssl 3.0 [1],
Debian actually have 3.0.0~~beta1-1 in experimental [2]. openSUSE has slightly
older version openssl-3.0.0-alpha16 [3]. I suppose we update soon to beta1 as
well.
Using distro packages would be probably faster to run in CI than install from git."
I guess, whether the openssl 3.0 source code is from the distro or from
openssl, it needs to be compiled from source.

Perhaps limiting compiling openssl 3.0 to those distros with the source
package is simpler than defining a new travis.yml variable, as
suggested above.  Petr?
It'll be slower, but why not. It might be better not cover only Debian.
But IMHO there should be at least some distros tested with regular openssl 1.1.x
(or which particular version it have) which means some runs will be added to the
matrix. But there should be a balance between test coverity and time required
for tests to be run (we don't want to end up like u-boot [1] :)).

Kind regards,
Petr

[1] https://github.com/u-boot/u-boot/runs/3073277277


evmctl itself relies on openssl version 1.1.1 or lower. I guess, openssl 3.0 needs to be compiled and install to a non-standard path, such as /opt/openssl, otherwise it will affect the subsequent compilation of evmctl in build.sh. Of course, compile openssl 3.0 from source code. must to limit the number of instances to avoid excessively increasing the time-consuming in CI. Is that right?

Best regards,
Tianjia



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux