From: Roberto Sassu <roberto.sassu@xxxxxxxxxx> UML kernels differ from other kernels for the ability of being executed as processes in the current environment, without requirements such as virtualization. It is sufficient to execute the binary, like the other binaries. In addition, UML kernels have the ability to see the host filesystem and thus they could for example run an executable from the host as init and have a fully working system without creating an image, as it would happen if a regular virtual machine is used. These features make UML kernels very suitable for integration in existing test suites designed to perform the tests in the current environment such as ima-evm-utils. In the current environment, test suites cannot test new functionality not yet integrated in the host kernel, or with custom kernel configuration options not usually enabled in production. Also, test suites might not be able to set/reset kernel settings for security reasons. With the ability to do kernel testing more in depth, ima-evm-utils might introduce specific tests for that, separated from the tests to verify the ima-evm-utils user space functionality. At the moment, there is no such distinction, existing tests verify both. The goal of this patch set is to overcome the limitations by making the test suite in ima-evm-utils able to run in an environment created by the UML kernel, with minimal changes. At the same time, it will preserve the ability of the test suite to run in the current environment. First, fix error messages and a variable in evmctl. Then, add the config-uml file with custom kernel configuration options for the tests, to be merged with the default configuration. Add a new job in the Github workflow to build the UML kernel from a repository and branch specified in the LINUX_URL and LINUX_BRANCH variables. Per Github documentation, these variables can be defined at organization, repository and environment level. Introduce a new API for using UML kernels for existing and new test scripts. Unless the environment variable UML_MODE is set to 1, calling the API results in a nop, and tests are executed in the current environment. Add the possibility to select individual tests to run in a test script, with the TST_LIST variable, so that the UML kernel can be launched multiple times with a subset of tests (useful if for example a test require kernel settings different from the previous test). Add tests for EVM portable signatures supporting UML kernels and port fsverity.test to use UML kernels. Finally, don't require making changes to the system to run fsverity.test and install a software dependency after the appropriate repository has been set up. Mimi Zohar (1): ci: haveged requires EPEL on CentOS stream:8 Roberto Sassu (8): Fix error messages and mdlen init in calc_evm_hmac() Add config for UML kernel Compile the UML kernel and download it in Github Actions Add support for UML in functions.sh Introduce TST_LIST variable to select a test to execute Add tests for EVM portable signatures Adapt fsverity.test to work with UML kernel Use in-place built fsverity binary instead of installing it .github/workflows/ci.yml | 96 ++- build.sh | 5 + ci/fedora.sh | 12 +- config-uml | 235 +++++++ src/evmctl.c | 8 +- tests/Makefile.am | 2 +- tests/fsverity.test | 18 +- tests/functions.sh | 91 ++- tests/install-fsverity.sh | 2 +- tests/install-mount-idmapped.sh | 7 + tests/portable_signatures.test | 1173 +++++++++++++++++++++++++++++++ 11 files changed, 1637 insertions(+), 12 deletions(-) create mode 100644 config-uml create mode 100755 tests/install-mount-idmapped.sh create mode 100755 tests/portable_signatures.test -- 2.25.1
