forked from keylime/keylime
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpackit-ci.fmf
141 lines (124 loc) · 4.79 KB
/
packit-ci.fmf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
# common test plan configuration
environment:
RUST_IMA_EMULATOR: 1
TPM_BINARY_MEASUREMENTS: /var/tmp/binary_bios_measurements
context:
swtpm: yes
agent: rust
faked_measured_boot_log: yes
prepare:
- how: shell
script:
- ln -s $(pwd) /var/tmp/keylime_sources
- systemctl disable --now dnf-makecache.service || true
- systemctl disable --now dnf-makecache.timer || true
- dnf makecache
- dnf -y update tpm2-tools tpm2-tss
execute:
how: tmt
adjust:
# prepare step adjustments
- when: distro == centos-stream-8
enabled: 0
# make sure epel repo is available
- when: distro == rhel-9 or distro == centos-stream-9
prepare+:
- how: shell
order: 10
script:
- yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm || true
- dnf config-manager --set-enabled epel || true
- dnf -y install beakerlib
- when: distro == rhel-10 or distro == centos-stream-10
prepare+:
- how: shell
order: 10
script:
- yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-10.noarch.rpm || true
- dnf config-manager --set-enabled epel || true
- dnf -y install beakerlib
## First test plan
/e2e-with-revocation:
summary: run keylime e2e tests
discover:
how: fmf
url: https://github.com/RedHat-SP-Security/keylime-tests
ref: main
test:
- /setup/apply_workarounds
- /setup/configure_tpm_emulator
- /setup/install_upstream_keylime
- /setup/install_rust_keylime_from_copr
- /setup/enable_keylime_coverage
# change IMA policy to simple and run one attestation scenario
# this is to utilize also a different parser
- /setup/configure_kernel_ima_module/ima_policy_simple
- /functional/basic-attestation-on-localhost
# now change IMA policy to signing and run all tests
- /setup/configure_kernel_ima_module/ima_policy_signing
- /compatibility/basic-attestation-on-localhost-api-version-bump
- /compatibility/basic-attestation-on-localhost-with-allowlist-excludelist
- /functional/agent_UUID_assignment_options
- /functional/basic-attestation-on-localhost
- /functional/basic-attestation-with-custom-certificates
- /functional/basic-attestation-with-concatenated-certificates
- /functional/basic-attestation-with-ima-signatures
- /functional/basic-attestation-without-mtls
- /functional/basic-attestation-with-unpriviledged-agent
- /functional/db-postgresql-sanity-on-localhost
- /functional/db-mariadb-sanity-on-localhost
- /functional/db-mysql-sanity-on-localhost
- /functional/durable-attestion-sanity-on-localhost
- /functional/ek-cert-use-ek_check_script
- /functional/ek-cert-use-ek_handle-custom-ca_certs
- /functional/iak-idevid-persisted-and-protected
- /functional/iak-idevid-register-with-certificates
- /functional/install-rpm-with-ima-signature
- /functional/keylime-non-default-ports
- /functional/keylime_create_policy-static-data
- /functional/keylime-policy-commands
- /functional/keylime_tenant-commands-on-localhost
- /functional/keylime_tenant-ima-signature-sanity
- /functional/measured-boot-swtpm-sanity
- /functional/service-logfiles-logging
- /functional/tenant-runtime-policy-sanity
- /functional/tpm-issuer-cert-using-ecc
- /functional/tpm_policy-sanity-on-localhost
- /functional/use-multiple-ima-sign-verification-keys
- /functional/webhook-certificate-on-localhost
- /regression/cve-2023-38200
- /regression/cve-2023-38201
- /regression/CVE-2023-3674
- /regression/issue-1380-agent-removed-and-re-added
- /regression/keylime-agent-option-override-through-envvar
- /sanity/keylime-secure_mount
- /sanity/opened-conf-files
- /upstream/run_keylime_tests
- /setup/generate_coverage_report
adjust+:
# discover step adjustments
# disable code coverage measurement everywhere except F41
- when: distro != fedora-41
discover+:
test-:
- /setup/enable_keylime_coverage
- /setup/generate_coverage_report
## Second test plan
/e2e-without-revocation:
summary: run keylime e2e tests without revocation support
environment+:
KEYLIME_TEST_DISABLE_REVOCATION: 1
discover:
how: fmf
url: https://github.com/RedHat-SP-Security/keylime-tests
ref: main
test:
- /setup/apply_workarounds
- /setup/configure_tpm_emulator
- /setup/install_upstream_keylime
- /setup/install_rust_keylime_from_copr
- /setup/configure_kernel_ima_module/ima_policy_simple
- /functional/basic-attestation-on-localhost
- /functional/basic-attestation-with-custom-certificates
- /functional/basic-attestation-without-mtls
- /functional/basic-attestation-with-unpriviledged-agent