Re: [PATCH ima-evm-utils v4] ima-evm-utils: Support SM2 algorithm for sign and verify

From: Petr Vorel <pvorel@suse.cz>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>,
	Stefan Berger <stefanb@linux.ibm.com>,
	Vitaly Chikunov <vt@altlinux.org>,
	linux-integrity@vger.kernel.org,
	Jia Zhang <zhang.jia@linux.alibaba.com>,
	"YiLin . Li" <YiLin.Li@linux.alibaba.com>
Subject: Re: [PATCH ima-evm-utils v4] ima-evm-utils: Support SM2 algorithm for sign and verify
Date: Thu, 15 Jul 2021 08:39:16 +0200	[thread overview]
Message-ID: <YO/YFAEWN5VzYIsQ@pevik> (raw)
In-Reply-To: <422b37b533ed6e24d783f323f7d4e22736f0e4bd.camel@linux.ibm.com>

Hi Mimi, Tianjia,

> Hi Tianjia,

> On Wed, 2021-07-14 at 21:01 +0800, Tianjia Zhang wrote:

> > index 5b07711..a0001b0 100644
> > --- a/.travis.yml
> > +++ b/.travis.yml
> > @@ -93,4 +93,4 @@ before_install:
> >  script:
> >      - INSTALL="${DISTRO%%:*}"
> >      - INSTALL="${INSTALL%%/*}"
> > -    - $CONTAINER run $CONTAINER_ARGS -t ima-evm-utils /bin/sh -c "if
> > [ \"$VARIANT\" ]; then ARCH=\"$ARCH\" ./ci/$INSTALL.$VARIANT.sh; fi
> > && ARCH=\"$ARCH\" CC=\"$CC\" TSS=\"$TSS\" ./ci/$INSTALL.sh && if [ !
> > \"$VARIANT\" ]; then which tpm_server || which swtpm ||
> > ./tests/install-swtpm.sh; fi && CC=\"$CC\" VARIANT=\"$VARIANT\"
> > ./build.sh"
> > +    - $CONTAINER run $CONTAINER_ARGS -t ima-evm-utils /bin/sh -c "if
> > [ \"$VARIANT\" ]; then ARCH=\"$ARCH\" ./ci/$INSTALL.$VARIANT.sh; fi
> > && ARCH=\"$ARCH\" CC=\"$CC\" TSS=\"$TSS\" ./ci/$INSTALL.sh && if [ !
> > \"$VARIANT\" ]; then which tpm_server || which swtpm ||
> > ./tests/install-swtpm.sh; fi && ./tests/install-openssl3.sh && 
> > CC=\"$CC\" VARIANT=\"$VARIANT\" ./build.sh"

> With "install-openssl3.sh", installing openssl 3.0 is being done for
> every distro matrix rule.  This needs to be limited to a specific
> instance.  Petr, please correct if I'm wrong, I assume a new variable
> needs to be defined, similar to "TSS".
+1

> A similar change would need to be made in ci.yml.
+1

> > new file mode 100755
> > index 0000000..21adb6f
> > --- /dev/null
> > +++ b/tests/install-openssl3.sh
> > @@ -0,0 +1,15 @@
> > +#!/bin/sh
> > +
> > +set -ex
> > +
> > +# The latest version in July 2021
> > +wget --no-check-certificate https://github.com/openssl/openssl/archive/refs/tags/openssl-3.0.0-beta1.tar.gz
> > +tar --no-same-owner -xvzf openssl-3.0.0-beta1.tar.gz

> Petr said,  "Although it appears there is no distro which would have
> openssl 3.0 [1],
> Debian actually have 3.0.0~~beta1-1 in experimental [2]. openSUSE has slightly
> older version openssl-3.0.0-alpha16 [3]. I suppose we update soon to beta1 as
> well.
> Using distro packages would be probably faster to run in CI than install from git."
> I guess, whether the openssl 3.0 source code is from the distro or from
> openssl, it needs to be compiled from source.

> Perhaps limiting compiling openssl 3.0 to those distros with the source
> package is simpler than defining a new travis.yml variable, as
> suggested above.  Petr?
It'll be slower, but why not. It might be better not cover only Debian.
But IMHO there should be at least some distros tested with regular openssl 1.1.x
(or which particular version it have) which means some runs will be added to the
matrix. But there should be a balance between test coverity and time required
for tests to be run (we don't want to end up like u-boot [1] :)).

Kind regards,
Petr

[1] https://github.com/u-boot/u-boot/runs/3073277277

> thanks,

> Mimi