On Wed, 2023-01-25 at 14:17 -0500, Mimi Zohar wrote: > On Wed, 2023-01-25 at 09:50 +0100, Roberto Sassu wrote: > > From: Roberto Sassu <roberto.sassu@xxxxxxxxxx> > > > > Add a build job, prerequisite of the existing job, to compile the UML > > kernel and upload it and the signing key to a cache. Github configuration > > should have two variables: LINUX_URL, the full URL of the kernel > > repository; LINUX_BRANCH, the branch to check out as fallback if the kernel > > repository does not have the same branch name as the one being pushed for > > ima-evm-utils. See: > > > > https://docs.github.com/en/actions/learn-github-actions/variables > > > > for directions on how to define those variables. > > > > If the two variables are not defined, the default values are: > > > > LINUX_URL=https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git > > LINUX_BRANCH=next-integrity > > > > If there is a cache hit (same kernel commit and same kernel configuration), > > next time the UML kernel will not be rebuilt. To use the cache, it is > > necessary to install zstd in the container. Add this dependency to > > ci/fedora.sh. > > > > The cache can be managed at the following URL: > > > > https://github.com/<username>/ima-evm-utils/actions/caches > > > > The page also offers the possibility to clean the cache, to force > > rebuilding the kernel. > > > > Add a new entry in the testing matrix, for the fedora-latest container > > image, to run the tests with the UML kernel. The entry differs from the > > others for the new environment variable TST_ENV, set to 'um', and > > TST_KERNEL set to '../linux', as the tests will be executed from the > > tests/ directory in ima-evm-utils. > > > > Add a new volume to the container, /dev/shm from the host, as it is > > required for running the UML kernel. > > > > Extend the existing job with steps to download the UML kernel and signing > > key from the cache. The new steps are executed only if the matrix entry has > > TST_ENV set. > > > > Finally, pass TST_ENV and TST_KERNEL to the tests. A test should also > > propagate these variables to the new environment, by passing them to the > > kernel command line. > > > > Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx> > > Thanks, Roberto. Just a couple of comments/questions below. > > > --- > > .github/workflows/ci.yml | 99 +++++++++++++++++++++++++++++++++++++++- > > ci/fedora.sh | 3 +- > > 2 files changed, 99 insertions(+), 3 deletions(-) > > > > diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml > > index d2afdfe15467..110c8065237b 100644 > > --- a/.github/workflows/ci.yml > > +++ b/.github/workflows/ci.yml > > @@ -3,7 +3,79 @@ name: "distros" > > on: [push, pull_request] > > > > jobs: > > + build: > > + runs-on: ubuntu-latest > > + outputs: > > + LINUX_SHA: ${{ steps.last-commit.outputs.LINUX_SHA }} > > + name: build > > + timeout-minutes: 100 > > + strategy: > > + fail-fast: false > > + > > + steps: > > + - uses: actions/checkout@v3 > > + > > + - name: Determine last kernel commit > > + id: last-commit > > + shell: bash > > + run: | > > + mkdir linux-integrity > > + pushd linux-integrity > > + git init > > + LINUX_URL=${{ vars.LINUX_URL }} > > + if [ -z "$LINUX_URL" ]; then > > + LINUX_URL=https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git > > + fi > > + LINUX_BRANCH=${{ vars.LINUX_BRANCH }} > > + if [ -z "$LINUX_BRANCH" ]; then > > + LINUX_BRANCH=next-integrity > > + fi > > + git remote add origin $LINUX_URL > > + LINUX_SHA=$(git ls-remote origin $GITHUB_REF_NAME | awk '{print $1}') > > + [ -z "$LINUX_SHA" ] && LINUX_SHA=$(git ls-remote origin $LINUX_BRANCH | awk '{print $1}') > > + echo "LINUX_SHA=$LINUX_SHA" >> $GITHUB_OUTPUT > > + popd > > + > > + - name: Cache UML kernel > > + id: cache-linux > > + uses: actions/cache@v3 > > + with: > > + path: linux > > + key: linux-${{ steps.last-commit.outputs.LINUX_SHA }}-${{ hashFiles('**/config-uml') }} > > + > > + - name: Cache signing key > > + id: cache-key > > + uses: actions/cache@v3 > > + with: > > + path: signing_key.pem > > + key: signing_key.pem-${{ steps.last-commit.outputs.LINUX_SHA }}-${{ hashFiles('**/config-uml') }} > > + > > + - name: Compile UML kernel > > + if: steps.cache-linux.outputs.cache-hit != 'true' || steps.cache-key.outputs.cache-hit != 'true' > > + shell: bash > > + run: | > > + if [ "$DEVTOOLSET" = "yes" ]; then > > + source /opt/rh/devtoolset-10/enable > > + fi > > + if [ "$ARCH" = "i386" ]; then > > + CROSS_COMPILE_OPT="CROSS_COMPILE=i686-linux-gnu-" > > + fi > > + pushd linux-integrity > > + git pull --depth 1 origin ${{ steps.last-commit.outputs.LINUX_SHA }} > > + make ARCH=um olddefconfig > > + ./scripts/kconfig/merge_config.sh -m .config ../config-uml > > merge_config.sh supports merging multiple config files. To simplify > review, instead of having all the Kconfigs defined in config-uml, > consider grouping them based on topic. For example one file could > contain integrity, IMA and EVM, while another file could contain > debugging info. > > Is it absolutely necessary to do now, no, but going forward it would be > nice. For example, any changes specifically needed for virtual > machines, could be defined in a separate file. Ok. Actually, virtual machines work with the same configuration. I added this at the bottom of config-uml to exclude unneeded drivers: CONFIG_DRM=n CONFIG_USB=n CONFIG_SOUND=n Since this would apply to both cases, I could just rename config-uml to config-test. Also, it seems that the correct way to generate the kernel configuration at the beginning is 'make defconfig' not 'make olddefconfig', which in my system takes the config from /boot. > > + # Update manually, to specify ARCH=um > > + make ARCH=um olddefconfig > > + # Make everything built-in > > + make ARCH=um localyesconfig > > Updating the .config is happening so many times. Previously it worked > without the additional "localyesconfig", why is it necessary now? It ensures that everything is built-in, since we are not installing kernel modules. Roberto > > + make ARCH=um $CROSS_COMPILE_OPT -j$(nproc) > > + chmod +x linux > > + cp linux .. > > + cp certs/signing_key.pem .. > > + popd > > + > > job: > > + needs: build > > runs-on: ubuntu-latest > > > > strategy:
