-
Notifications
You must be signed in to change notification settings - Fork 3
/
packit-ci.fmf
145 lines (128 loc) · 5.31 KB
/
packit-ci.fmf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
# common test plan configuration
environment:
RUST_IMA_EMULATOR: 1
TPM_BINARY_MEASUREMENTS: /var/tmp/binary_bios_measurements
context:
swtpm: yes
agent: rust
prepare:
- how: shell
script:
- systemctl disable --now dnf-makecache.service || true
- systemctl disable --now dnf-makecache.timer || true
- dnf makecache
- dnf -y update tpm2-tools tpm2-tss
- dnf install selinux-policy-devel tpm2-abrmd-selinux -y
- make -f /usr/share/selinux/devel/Makefile keylime.pp
- semodule -i keylime.pp
- restorecon -R /usr/bin/ /usr/local/bin/ /var/lib/ /var/log/
- rm -f /etc/yum.repos.d/tag-repository.repo
- make -f /usr/share/selinux/devel/Makefile local_dontaudit.pp
- semodule -i local_dontaudit.pp
execute:
how: tmt
adjust:
# prepare step adjustments
- when: distro == centos-stream-9
prepare+:
- how: shell
order: 30
script:
- rpm -Uv https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm https://dl.fedoraproject.org/pub/epel/epel-next-release-latest-9.noarch.rpm || true
/e2e-upstream-keylime-without-revocation:
summary: run upstream keylime e2e tests
context+:
faked_measured_boot_log: yes
discover:
how: fmf
url: https://github.com/RedHat-SP-Security/keylime-tests
ref: main
test:
- /setup/configure_tpm_emulator
- /setup/install_upstream_keylime
- /setup/install_rust_keylime_from_copr
# change IMA policy to simple and run one attestation scenario
# this is to utilize also a different parser
- /setup/configure_kernel_ima_module/ima_policy_simple
- /setup/inject_SELinux_AVC_check
- /functional/basic-attestation-on-localhost
# now change IMA policy to signing and run all tests
- /setup/configure_kernel_ima_module/ima_policy_signing
- /functional/agent_UUID_assignment_options
- /functional/basic-attestation-on-localhost
- /functional/basic-attestation-with-custom-certificates
- /functional/basic-attestation-with-ima-signatures
- /functional/basic-attestation-without-mtls
- /functional/basic-attestation-with-unpriviledged-agent
- /functional/db-postgresql-sanity-on-localhost
- /functional/db-mariadb-sanity-on-localhost
- /functional/db-mysql-sanity-on-localhost
- /functional/durable-attestion-sanity-on-localhost
- /functional/ek-cert-use-ek_check_script
- /functional/ek-cert-use-ek_handle-custom-ca_certs
- /functional/install-rpm-with-ima-signature
- /functional/keylime-non-default-ports
- /functional/keylime_tenant-commands-on-localhost
- /functional/keylime_tenant-ima-signature-sanity
- /functional/measured-boot-swtpm-sanity
- /functional/service-logfiles-logging
- /functional/tenant-runtime-policy-sanity
- /functional/tpm-issuer-cert-using-ecc
- /functional/tpm_policy-sanity-on-localhost
- /functional/use-multiple-ima-sign-verification-keys
- /upstream/run_keylime_tests
execute:
how: tmt
adjust:
- when: distro == fedora-rawhide
environment+:
AVC_CHECK_AUSEARCH_PARAMS: "-se keylime"
because: "On Rawhide we ignore SELinux AVCs not related to keylime"
- when: target_PR_branch is defined and target_PR_branch != main
enabled: false
because: we want to run this plan only for PRs targeting the main branch
/e2e-distribution-keylime-without-revocation:
summary: run distribution keylime e2e tests
context+:
faked_measured_boot_log: no
discover:
how: fmf
url: https://github.com/RedHat-SP-Security/keylime-tests
ref: rhel-9-main
test:
- /setup/configure_tpm_emulator
# change IMA policy to simple and run one attestation scenario
# this is to utilize also a different parser
- /setup/configure_kernel_ima_module/ima_policy_simple
- /setup/inject_SELinux_AVC_check
- /functional/basic-attestation-on-localhost
# now change IMA policy to signing and run all tests
- /setup/configure_kernel_ima_module/ima_policy_signing
- /functional/agent_UUID_assignment_options
- /functional/basic-attestation-on-localhost
- /functional/basic-attestation-with-custom-certificates
- /functional/basic-attestation-with-ima-signatures
- /functional/basic-attestation-without-mtls
- /functional/basic-attestation-with-unpriviledged-agent
- /functional/db-postgresql-sanity-on-localhost
- /functional/db-mariadb-sanity-on-localhost
- /functional/db-mysql-sanity-on-localhost
- /functional/durable-attestion-sanity-on-localhost
- /functional/ek-cert-use-ek_check_script
- /functional/ek-cert-use-ek_handle-custom-ca_certs
- /functional/install-rpm-with-ima-signature
- /functional/keylime-non-default-ports
- /functional/keylime_tenant-commands-on-localhost
- /functional/keylime_tenant-ima-signature-sanity
- /functional/measured-boot-swtpm-sanity
- /functional/service-logfiles-logging
- /functional/tenant-runtime-policy-sanity
- /functional/tpm-issuer-cert-using-ecc
- /functional/tpm_policy-sanity-on-localhost
- /functional/use-multiple-ima-sign-verification-keys
execute:
how: tmt
adjust:
- when: target_PR_branch is defined and target_PR_branch != rhel-9-main
enabled: false
because: we want to run this plan only for PRs targeting the rhel-9-main branch