-
Notifications
You must be signed in to change notification settings - Fork 59
/
Copy pathpackit-ci.fmf
93 lines (86 loc) · 3.59 KB
/
packit-ci.fmf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
/e2e:
summary: run keylime e2e tests
environment:
TPM_BINARY_MEASUREMENTS: /var/tmp/binary_bios_measurements
RUST_IMA_EMULATOR: 1
KEYLIME_RUST_CODE_COVERAGE: 1
context:
swtpm: yes
agent: rust
faked_measured_boot_log: yes
prepare:
- how: shell
script:
- ln -s $(pwd) /var/tmp/rust-keylime_sources
- dnf makecache
- systemctl disable --now dnf-makecache.service || true
- systemctl disable --now dnf-makecache.timer || true
discover:
how: fmf
url: https://github.com/RedHat-SP-Security/keylime-tests
ref: main
test:
- /setup/apply_workarounds
- /setup/configure_tpm_emulator
- /setup/install_upstream_keylime
- /setup/install_upstream_rust_keylime
# change IMA policy to simple and run one attestation scenario
# this is to utilize also a different parser
- /setup/configure_kernel_ima_module/ima_policy_simple
- /functional/basic-attestation-on-localhost
# now change IMA policy to signing and run all tests
- /setup/configure_kernel_ima_module/ima_policy_signing
- /compatibility/basic-attestation-on-localhost-api-version-bump
- /compatibility/basic-attestation-on-localhost-with-allowlist-excludelist
- /functional/agent_UUID_assignment_options
- /functional/basic-attestation-on-localhost
- /functional/basic-attestation-with-custom-certificates
- /functional/basic-attestation-with-concatenated-certificates
- /functional/basic-attestation-with-ima-signatures
- /functional/basic-attestation-without-mtls
- /functional/basic-attestation-with-unpriviledged-agent
- /functional/db-postgresql-sanity-on-localhost
- /functional/db-mariadb-sanity-on-localhost
- /functional/db-mysql-sanity-on-localhost
- /functional/durable-attestion-sanity-on-localhost
- /functional/ek-cert-use-ek_check_script
- /functional/ek-cert-use-ek_handle-custom-ca_certs
- /functional/iak-idevid-persisted-and-protected
- /functional/iak-idevid-register-with-certificates
- /functional/install-rpm-with-ima-signature
- /functional/keylime-non-default-ports
- /functional/keylime_create_policy-static-data
- /functional/keylime_policy-commands
- /functional/keylime_tenant-commands-on-localhost
- /functional/keylime_tenant-ima-signature-sanity
- /functional/measured-boot-swtpm-sanity
- /functional/service-logfiles-logging
- /functional/tenant-runtime-policy-sanity
- /functional/tpm-issuer-cert-using-ecc
- /functional/tpm_policy-sanity-on-localhost
- /functional/use-multiple-ima-sign-verification-keys
- /functional/webhook-certificate-on-localhost
- /regression/cve-2023-38200
- /regression/cve-2023-38201
- /regression/CVE-2023-3674
- /regression/issue-1380-agent-removed-and-re-added
- /regression/keylime-agent-option-override-through-envvar
- /sanity/keylime-secure_mount
- /upstream/run_rust_keylime_tests
- /setup/generate_upstream_rust_keylime_code_coverage
adjust:
# prepare step adjustments
- when: distro == centos-stream-9
prepare+:
- how: shell
script:
- yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
# disable code coverage measurement everywhere except F41 and CS9
- when: distro != fedora-41
environment+:
KEYLIME_RUST_CODE_COVERAGE: 0
discover+:
test-:
- /setup/generate_upstream_rust_keylime_code_coverage
execute:
how: tmt