On Thu, 2023-01-12 at 13:24 +0100, Roberto Sassu wrote: > From: Roberto Sassu <roberto.sassu@xxxxxxxxxx> > > UML kernels differ from other kernels for the ability of being executed as > processes in the current environment, without requirements such as > virtualization. It is sufficient to execute the binary, like the other > binaries. > > In addition, UML kernels have the ability to see the host filesystem and > thus they could for example run an executable from the host as init and > have a fully working system without creating an image, as it would happen > if a regular virtual machine is used. > > These features make UML kernels very suitable for integration in existing > test suites designed to perform the tests in the current environment such > as ima-evm-utils. In the current environment, test suites cannot test new > functionality not yet integrated in the host kernel, or with custom kernel > configuration options not usually enabled in production. Also, test suites > might not be able to set/reset kernel settings for security reasons. > > With the ability to do kernel testing more in depth, ima-evm-utils might > introduce specific tests for that, separated from the tests to verify the > ima-evm-utils user space functionality. At the moment, there is no such > distinction, existing tests verify both. > > The goal of this patch set is to overcome the limitations by making the > test suite in ima-evm-utils able to run in an environment created by the > UML kernel, with minimal changes. At the same time, it will preserve the > ability of the test suite to run in the current environment. > > First, fix error messages and a variable in evmctl. Then, add the > config-uml file with custom kernel configuration options for the tests, to > be merged with the default configuration. Add a new job in the Github > workflow to build the UML kernel from a repository and branch specified in > the LINUX_URL and LINUX_BRANCH variables. Per Github documentation, these > variables can be defined at organization, repository and environment level. > > Introduce a new API for using UML kernels for existing and new test > scripts. Unless the environment variable UML_MODE is set to 1, calling the > API results in a nop, and tests are executed in the current environment. > > Add the possibility to select individual tests to run in a test script, > with the TST_LIST variable, so that the UML kernel can be launched multiple > times with a subset of tests (useful if for example a test require kernel > settings different from the previous test). > > Add tests for EVM portable signatures supporting UML kernels and port > fsverity.test to use UML kernels. > > Finally, don't require making changes to the system to run fsverity.test > and install a software dependency after the appropriate repository has been > set up. Thank you, Roberto! The UML support should simplify testing new kernel features before they are upstreamed and/or configured/enabled by the distros. Building a UML kernel is relatively quick (~8 minutes). With the UML kernel and image caching, the impact should be minimal. Once everyone has had a chance to review, comment, and test this patch set, we'll release a new version of ima-evm-utils. thanks, Mimi > > Mimi Zohar (1): > ci: haveged requires EPEL on CentOS stream:8 > > Roberto Sassu (8): > Fix error messages and mdlen init in calc_evm_hmac() > Add config for UML kernel > Compile the UML kernel and download it in Github Actions > Add support for UML in functions.sh > Introduce TST_LIST variable to select a test to execute > Add tests for EVM portable signatures > Adapt fsverity.test to work with UML kernel > Use in-place built fsverity binary instead of installing it > > .github/workflows/ci.yml | 96 ++- > build.sh | 5 + > ci/fedora.sh | 12 +- > config-uml | 235 +++++++ > src/evmctl.c | 8 +- > tests/Makefile.am | 2 +- > tests/fsverity.test | 18 +- > tests/functions.sh | 91 ++- > tests/install-fsverity.sh | 2 +- > tests/install-mount-idmapped.sh | 7 + > tests/portable_signatures.test | 1173 +++++++++++++++++++++++++++++++ > 11 files changed, 1637 insertions(+), 12 deletions(-) > create mode 100644 config-uml > create mode 100755 tests/install-mount-idmapped.sh > create mode 100755 tests/portable_signatures.test >
