forked from keylime/keylime
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpackit-ci.fmf
118 lines (101 loc) · 3.67 KB
/
packit-ci.fmf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
/e2e-with-revocation:
summary: run keylime e2e tests
context:
swtpm: yes
agent: python
prepare:
how: shell
script:
- rm -f /etc/yum.repos.d/tag-repository.repo
- ln -s $(pwd) /var/tmp/keylime_sources
discover:
how: fmf
url: https://github.com/RedHat-SP-Security/keylime-tests
ref: main
test:
- /setup/configure_tpm_emulator
- /setup/install_upstream_keylime
- /setup/enable_keylime_coverage
# change IMA policy to simple and run one attestation scenario
# this is to utilize also a different parser
- /setup/configure_kernel_ima_module/ima_policy_simple
- /functional/basic-attestation-on-localhost
# now change IMA policy to signing and run all tests
- /setup/configure_kernel_ima_module/ima_policy_signing
- /functional/basic-attestation-on-localhost
- /functional/basic-attestation-with-custom-certificates
- /functional/basic-attestation-with-ima-signatures
- /functional/basic-attestation-without-mtls
- /functional/basic-attestation-with-unpriviledged-agent
- /functional/ek-cert-use-ek_check_script
- /functional/ek-cert-use-ek_handle-custom-ca_certs
- /functional/install-rpm-with-ima-signature
- /functional/keylime_tenant-commands-on-localhost
- /functional/keylime_tenant-ima-signature-sanity
- /functional/tpm_policy-sanity-on-localhost
- /functional/db-postgresql-sanity-on-localhost
- /functional/db-mariadb-sanity-on-localhost
- /functional/db-mysql-sanity-on-localhost
- /functional/tenant-allowlist-sanity
- /functional/measured-boot-swtpm-sanity
# now set zeromq as a default revocation notifier and test it
- /setup/configure_default_revocation_notifier/zeromq
- /functional/basic-attestation-on-localhost
# now set revocation notifier back to agent
- /setup/configure_default_revocation_notifier/agent
- /upstream/run_keylime_tests
- /setup/generate_coverage_report
adjust:
# prepare step adjustments
- prepare+:
script+:
- yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
when: distro == centos-stream-9
- prepare+:
script+:
- yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
when: distro == centos-stream-8
# discover step adjustments
# disable code coverage measurement everywhere except F35
- when: distro != fedora-35
discover+:
test-:
- /setup/enable_keylime_coverage
- /setup/generate_coverage_report
execute:
how: tmt
/e2e-without-revocation:
summary: run keylime e2e tests without revocation support
environment:
KEYLIME_TEST_DISABLE_REVOCATION: 1
context:
swtpm: yes
agent: python
prepare:
how: shell
script:
- rm -f /etc/yum.repos.d/tag-repository.repo
- ln -s $(pwd) /var/tmp/keylime_sources
discover:
how: fmf
url: https://github.com/RedHat-SP-Security/keylime-tests
ref: main
test:
- /setup/configure_tpm_emulator
- /setup/install_upstream_keylime
- /functional/basic-attestation-on-localhost
- /functional/basic-attestation-with-custom-certificates
- /functional/basic-attestation-without-mtls
- /functional/basic-attestation-with-unpriviledged-agent
adjust:
# prepare step adjustments
- prepare+:
script+:
- yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
when: distro == centos-stream-9
- prepare+:
script+:
- yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
when: distro == centos-stream-8
execute:
how: tmt