diff mbox series

[ima-evm-utils,v2,3/9] Compile the UML kernel and download it in Github Actions

Message ID 20230112122426.3759938-4-roberto.sassu@huaweicloud.com (mailing list archive)
State New, archived
Headers show
Series Support testing with UML kernel | expand

Commit Message

Roberto Sassu Jan. 12, 2023, 12:24 p.m. UTC 
From: Roberto Sassu <roberto.sassu@huawei.com>

Add a build job, prerequisite of the existing job, to compile the UML
kernel and upload it and the signing key to a cache. Github configuration
should have two variables: LINUX_URL, the full URL of the kernel
repository; LINUX_BRANCH, the branch to check out as fallback if the kernel
repository does not have the same branch name as the one being pushed for
ima-evm-utils. See:

https://docs.github.com/en/actions/learn-github-actions/variables

for directions on how to define those variables.

If the two variables are not defined, the default values are:

LINUX_URL=https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git
LINUX_BRANCH=next-integrity

If there is a cache hit (same kernel commit and same kernel configuration),
next time the UML kernel will not be rebuilt. To use the cache, it is
necessary to install zstd in the container. Add this dependency to
ci/fedora.sh.

The cache can be managed at the following URL:

https://github.com/<username>/ima-evm-utils/actions/caches

The page also offers the possibility to clean the cache, to force
rebuilding the kernel.

Add a new entry in the testing matrix, for the fedora-latest container
image, to run the tests with the UML kernel. The entry differs from the
others for the new environment variable UML_MODE, set to 1.

Add a new volume to the container, /dev/shm from the host, as it is
required for running the UML kernel.

Extend the existing job with steps to download the UML kernel and signing
key from the cache. The new steps are executed only if the matrix entry has
UML_MODE set to 1.

Finally, pass UML_MODE to the tests. A test should also propagate this
variable to the environment created with the UML kernel, by passing it to
the kernel command line.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
 .github/workflows/ci.yml | 96 +++++++++++++++++++++++++++++++++++++++-
 ci/fedora.sh             |  3 +-
 2 files changed, 96 insertions(+), 3 deletions(-)
diff mbox series

Patch

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index d2afdfe15467..930e5e517196 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -3,7 +3,77 @@  name: "distros"
 on: [push, pull_request]
 
 jobs:
+  build:
+    runs-on: ubuntu-latest
+    outputs:
+      LINUX_SHA: ${{ steps.last-commit.outputs.LINUX_SHA }}
+    name: build
+    timeout-minutes: 100
+    strategy:
+      fail-fast: false
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Determine last kernel commit
+        id: last-commit
+        shell: bash
+        run: |
+          mkdir linux-integrity
+          pushd linux-integrity
+          git init
+          LINUX_URL=${{ vars.LINUX_URL }}
+          if [ -z "$LINUX_URL" ]; then
+              LINUX_URL=https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git
+          fi
+          LINUX_BRANCH=${{ vars.LINUX_BRANCH }}
+          if [ -z "$LINUX_BRANCH" ]; then
+              LINUX_BRANCH=next-integrity
+          fi
+          git remote add origin $LINUX_URL
+          LINUX_SHA=$(git ls-remote origin $GITHUB_REF_NAME | awk '{print $1}')
+          [ -z "$LINUX_SHA" ] && LINUX_SHA=$(git ls-remote origin $LINUX_BRANCH | awk '{print $1}')
+          echo "LINUX_SHA=$LINUX_SHA" >> $GITHUB_OUTPUT
+          popd
+
+      - name: Cache UML kernel
+        id: cache-linux
+        uses: actions/cache@v3
+        with:
+          path: linux
+          key: linux-${{ steps.last-commit.outputs.LINUX_SHA }}-${{ hashFiles('**/config-uml') }}
+
+      - name: Cache signing key
+        id: cache-key
+        uses: actions/cache@v3
+        with:
+          path: signing_key.pem
+          key: signing_key.pem-${{ steps.last-commit.outputs.LINUX_SHA }}-${{ hashFiles('**/config-uml') }}
+
+      - name: Compile UML kernel
+        if: steps.cache-linux.outputs.cache-hit != 'true' || steps.cache-key.outputs.cache-hit != 'true'
+        shell: bash
+        run: |
+          if [ "$DEVTOOLSET" = "yes" ]; then
+                  source /opt/rh/devtoolset-10/enable
+          fi
+          if [ "$ARCH" = "i386" ]; then
+                  CROSS_COMPILE_OPT="CROSS_COMPILE=i686-linux-gnu-"
+          fi
+          pushd linux-integrity
+          git pull --depth 1 origin ${{ steps.last-commit.outputs.LINUX_SHA }}
+          make ARCH=um olddefconfig
+          ./scripts/kconfig/merge_config.sh -m .config ../config-uml
+          # Update manually, to specify ARCH=um
+          make ARCH=um olddefconfig
+          make ARCH=um $CROSS_COMPILE_OPT -j$(nproc)
+          chmod +x linux
+          cp linux ..
+          cp certs/signing_key.pem ..
+          popd
+
   job:
+    needs: build
     runs-on: ubuntu-latest
 
     strategy:
@@ -75,6 +145,12 @@  jobs:
               CC: clang
               TSS: ibmtss
 
+          - container: "fedora:latest"
+            env:
+              CC: clang
+              TSS: ibmtss
+              UML_MODE: 1
+
           - container: "centos:7"
             env:
               CC: gcc
@@ -98,7 +174,7 @@  jobs:
     container:
       image: ${{ matrix.container }}
       env: ${{ matrix.env }}
-      options: --privileged --device /dev/loop-control
+      options: --privileged --device /dev/loop-control -v /dev/shm:/dev/shm
 
     steps:
     - name: Show OS
@@ -125,8 +201,24 @@  jobs:
             fi
         fi
 
+    - name: Retrieve UML kernel
+      if: ${{ matrix.env.UML_MODE && fromJSON(matrix.env.UML_MODE) == 1 }}
+      uses: actions/cache@v3
+      continue-on-error: false
+      with:
+        path: linux
+        key: linux-${{ needs.build.outputs.LINUX_SHA }}-${{ hashFiles('**/config-uml') }}
+
+    - name: Retrieve signing key
+      if: ${{ matrix.env.UML_MODE && fromJSON(matrix.env.UML_MODE) == 1 }}
+      continue-on-error: false
+      uses: actions/cache@v3
+      with:
+        path: signing_key.pem
+        key: signing_key.pem-${{ needs.build.outputs.LINUX_SHA }}-${{ hashFiles('**/config-uml') }}
+
     - name: Compiler version
       run: $CC --version
 
     - name: Compile
-      run: CC="$CC" VARIANT="$VARIANT" COMPILE_SSL="$COMPILE_SSL" ./build.sh
+      run: CC="$CC" VARIANT="$VARIANT" COMPILE_SSL="$COMPILE_SSL" UML_MODE="$UML_MODE" ./build.sh
diff --git a/ci/fedora.sh b/ci/fedora.sh
index 2272bbc57fae..e60de7981c60 100755
--- a/ci/fedora.sh
+++ b/ci/fedora.sh
@@ -44,7 +44,8 @@  yum -y install \
 	util-linux \
 	vim-common \
 	wget \
-	which
+	which \
+	zstd
 
 yum -y install docbook5-style-xsl || true
 yum -y install swtpm || true