[PATCH ima-evm-utils 0/9] Docker based Travis CI builds

[PATCH ima-evm-utils 0/9] Docker based Travis CI builds

[Petr Vorel]

Hi,

we talked about Docker based Travis CI builds.
Here they are [1]. Working on it revealed few bugs, that's why they're
included.

I've resent 2 commits ("man:" prefix).

I haven't addressed Mimi's suggestion to replace ibmswtpm2 with libtmps/swtpm [2].

Kind regards,
Petr

[1] https://travis-ci.org/github/pevik/ima-evm-utils/builds/717681733
[2] https://github.com/stefanberger/swtpm/wiki/Using-the-IBM-TSS-with-swtpm

Petr Vorel (9):
  configure: Fix tss2-esys check
  man: Fix xmlcatalog path detection
  man: Generate doc targets only when XSL found
  install-swtpm.sh: Ignore certificate for download
  install-swtpm.sh: Update ibmtpm to version 1637
  Remove install-tpm2-tss.sh
  autogen.sh: Cleanup
  tests: Require cmp
  travis: Switch to docker based builds

 .travis.yml                    | 106 +++++++++++++++++++++++----------
 Makefile.am                    |   4 ++
 autogen.sh                     |  14 +----
 build.sh                       |  97 ++++++++++++++++++++++++++++++
 configure.ac                   |   7 ++-
 m4/manpage-docbook-xsl.m4      |  38 +++++++++---
 tests/install-swtpm.sh         |  10 ++--
 tests/install-tpm2-tss.sh      |  19 ------
 tests/sign_verify.test         |   9 ++-
 travis/alpine.sh               |  50 ++++++++++++++++
 travis/centos.sh               |   1 +
 travis/debian.cross-compile.sh |  23 +++++++
 travis/debian.i386.sh          |  11 ++++
 travis/debian.sh               |  54 +++++++++++++++++
 travis/fedora.sh               |  49 +++++++++++++++
 travis/opensuse.sh             |   1 +
 travis/tumbleweed.sh           |  45 ++++++++++++++
 travis/ubuntu.sh               |   1 +
 18 files changed, 457 insertions(+), 82 deletions(-)
 create mode 100755 build.sh
 delete mode 100755 tests/install-tpm2-tss.sh
 create mode 100755 travis/alpine.sh
 create mode 120000 travis/centos.sh
 create mode 100755 travis/debian.cross-compile.sh
 create mode 100755 travis/debian.i386.sh
 create mode 100755 travis/debian.sh
 create mode 100755 travis/fedora.sh
 create mode 120000 travis/opensuse.sh
 create mode 100755 travis/tumbleweed.sh
 create mode 120000 travis/ubuntu.sh

-- 
2.28.0

[PATCH ima-evm-utils 1/9] configure: Fix tss2-esys check

[Petr Vorel]

Check tss2-esys with Esys_Free() instead of Esys_PCR_Read().
That should be the newest dependency.

That means we depend on tss2-esys >= 2.1.0 instead of 2.0.0.

Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 configure.ac | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/configure.ac b/configure.ac
index 971a712..8e13b61 100644
--- a/configure.ac
+++ b/configure.ac
@@ -30,9 +30,9 @@ AC_SUBST(KERNEL_HEADERS)
 AC_CHECK_HEADER(unistd.h)
 AC_CHECK_HEADERS(openssl/conf.h)
 
-AC_CHECK_LIB([tss2-esys], [Esys_PCR_Read])
+AC_CHECK_LIB([tss2-esys], [Esys_Free])
 AC_CHECK_LIB([tss2-rc], [Tss2_RC_Decode])
-AM_CONDITIONAL([USE_PCRTSS], [test "x$ac_cv_lib_tss2_esys_Esys_PCR_Read" = "xyes"])
+AM_CONDITIONAL([USE_PCRTSS], [test "x$ac_cv_lib_tss2_esys_Esys_Free" = "xyes"])
 
 AC_CHECK_HEADERS(sys/xattr.h, , [AC_MSG_ERROR([sys/xattr.h header not found. You need the c-library development package.])])
 AC_CHECK_HEADERS(keyutils.h, , [AC_MSG_ERROR([keyutils.h header not found. You need the libkeyutils development package.])])
@@ -77,6 +77,6 @@ echo
 echo	"Configuration:"
 echo	"          debug: $pkg_cv_enable_debug"
 echo	"   openssl-conf: $enable_openssl_conf"
-echo	"      tss2-esys: $ac_cv_lib_tss2_esys_Esys_PCR_Read"
+echo	"      tss2-esys: $ac_cv_lib_tss2_esys_Esys_Free"
 echo	" tss2-rc-decode: $ac_cv_lib_tss2_rc_Tss2_RC_Decode"
 echo
-- 
2.28.0

[PATCH ima-evm-utils 2/9] man: Fix xmlcatalog path detection

[Petr Vorel]

for catalogs which return plain file path (e.g.
/usr/.../manpages/docbook.xsl) instead of URI which starts
with file://). In that case sed printed empty string.

Fixes: 5fa7d35 ("autotools: Try to find correct manpage stylesheet
path")

Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 m4/manpage-docbook-xsl.m4 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/m4/manpage-docbook-xsl.m4 b/m4/manpage-docbook-xsl.m4
index 24ae55a..2d8436e 100644
--- a/m4/manpage-docbook-xsl.m4
+++ b/m4/manpage-docbook-xsl.m4
@@ -1,4 +1,4 @@
-dnl Copyright (c) 2018 Petr Vorel <pvorel@suse.cz>
+dnl Copyright (c) 2018-2020 Petr Vorel <pvorel@suse.cz>
 dnl Find docbook manpage stylesheet
 
 AC_DEFUN([EVMCTL_MANPAGE_DOCBOOK_XSL], [
@@ -19,7 +19,7 @@ AC_DEFUN([EVMCTL_MANPAGE_DOCBOOK_XSL], [
 	if test "x${XMLCATALOG}" != "x" -a "x$have_xmlcatalog_file" = "xyes"; then
 		DOCBOOK_XSL_URI="http://docbook.sourceforge.net/release/xsl/current"
 		DOCBOOK_XSL_PATH="manpages/docbook.xsl"
-		MANPAGE_DOCBOOK_XSL=$(${XMLCATALOG} ${XML_CATALOG_FILE} ${DOCBOOK_XSL_URI}/${DOCBOOK_XSL_PATH} | sed -n 's|^file:/\+|/|p;q')
+		MANPAGE_DOCBOOK_XSL=$(${XMLCATALOG} ${XML_CATALOG_FILE} ${DOCBOOK_XSL_URI}/${DOCBOOK_XSL_PATH} | sed 's|^file:/\+|/|')
 	fi
 	if test "x${MANPAGE_DOCBOOK_XSL}" = "x"; then
 		MANPAGE_DOCBOOK_XSL="/usr/share/xml/docbook/stylesheet/docbook-xsl/manpages/docbook.xsl"
-- 
2.28.0

[PATCH ima-evm-utils 3/9] man: Generate doc targets only when XSL found

[Petr Vorel]

As requiring manpages/docbook.xsl breaks build if not found.

Also rewrite the check to add more debug info.

Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 Makefile.am               |  4 ++++
 configure.ac              |  1 +
 m4/manpage-docbook-xsl.m4 | 34 +++++++++++++++++++++++++++-------
 3 files changed, 32 insertions(+), 7 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index 45c6f82..17fd478 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,5 +1,7 @@
 SUBDIRS = src tests
+if MANPAGE_DOCBOOK_XSL
 dist_man_MANS = evmctl.1
+endif
 
 doc_DATA =  examples/ima-genkey-self.sh examples/ima-genkey.sh examples/ima-gen-local-ca.sh
 EXTRA_DIST = autogen.sh $(doc_DATA)
@@ -23,6 +25,7 @@ rpm: $(tarname)
 	cp $(tarname) $(SRCS)/
 	rpmbuild -ba --nodeps $(SPEC)
 
+if MANPAGE_DOCBOOK_XSL
 evmctl.1.html: README
 	@asciidoc -o $@ $<
 
@@ -35,5 +38,6 @@ rmman:
 	rm -f evmctl.1
 
 doc: evmctl.1.html rmman evmctl.1
+endif
 
 .PHONY: $(tarname)
diff --git a/configure.ac b/configure.ac
index 8e13b61..a2e68d0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -79,4 +79,5 @@ echo	"          debug: $pkg_cv_enable_debug"
 echo	"   openssl-conf: $enable_openssl_conf"
 echo	"      tss2-esys: $ac_cv_lib_tss2_esys_Esys_Free"
 echo	" tss2-rc-decode: $ac_cv_lib_tss2_rc_Tss2_RC_Decode"
+echo	"            doc: $have_doc"
 echo
diff --git a/m4/manpage-docbook-xsl.m4 b/m4/manpage-docbook-xsl.m4
index 2d8436e..25c8ce5 100644
--- a/m4/manpage-docbook-xsl.m4
+++ b/m4/manpage-docbook-xsl.m4
@@ -2,6 +2,9 @@ dnl Copyright (c) 2018-2020 Petr Vorel <pvorel@suse.cz>
 dnl Find docbook manpage stylesheet
 
 AC_DEFUN([EVMCTL_MANPAGE_DOCBOOK_XSL], [
+	DOCBOOK_XSL_URI="http://docbook.sourceforge.net/release/xsl/current"
+	DOCBOOK_XSL_PATH="manpages/docbook.xsl"
+
 	AC_PATH_PROGS(XMLCATALOG, xmlcatalog)
 	AC_ARG_WITH([xml-catalog],
 		AC_HELP_STRING([--with-xml-catalog=CATALOG],
@@ -9,20 +12,37 @@ AC_DEFUN([EVMCTL_MANPAGE_DOCBOOK_XSL], [
 				[with_xml_catalog=/etc/xml/catalog])
 	XML_CATALOG_FILE="$with_xml_catalog"
 	AC_SUBST([XML_CATALOG_FILE])
-	AC_MSG_CHECKING([for XML catalog ($XML_CATALOG_FILE)])
-	if test -f "$XML_CATALOG_FILE"; then
-		have_xmlcatalog_file=yes
-		AC_MSG_RESULT([found])
+
+	if test "x${XMLCATALOG}" = "x"; then
+		AC_MSG_WARN([xmlcatalog not found, cannot search for $DOCBOOK_XSL_PATH])
 	else
-		AC_MSG_RESULT([not found])
+		AC_MSG_CHECKING([for XML catalog ($XML_CATALOG_FILE)])
+		if test -f "$XML_CATALOG_FILE"; then
+			have_xmlcatalog_file=yes
+			AC_MSG_RESULT([found])
+		else
+			AC_MSG_RESULT([not found, cannot search for $DOCBOOK_XSL_PATH])
+		fi
 	fi
+
 	if test "x${XMLCATALOG}" != "x" -a "x$have_xmlcatalog_file" = "xyes"; then
-		DOCBOOK_XSL_URI="http://docbook.sourceforge.net/release/xsl/current"
-		DOCBOOK_XSL_PATH="manpages/docbook.xsl"
 		MANPAGE_DOCBOOK_XSL=$(${XMLCATALOG} ${XML_CATALOG_FILE} ${DOCBOOK_XSL_URI}/${DOCBOOK_XSL_PATH} | sed 's|^file:/\+|/|')
 	fi
+
 	if test "x${MANPAGE_DOCBOOK_XSL}" = "x"; then
 		MANPAGE_DOCBOOK_XSL="/usr/share/xml/docbook/stylesheet/docbook-xsl/manpages/docbook.xsl"
+		AC_MSG_WARN([trying a default path for $DOCBOOK_XSL_PATH])
 	fi
+
+	if test -f "$MANPAGE_DOCBOOK_XSL"; then
+		have_doc=yes
+		AC_MSG_NOTICE([using $MANPAGE_DOCBOOK_XSL for generating doc])
+	else
+		AC_MSG_WARN([$DOCBOOK_XSL_PATH not found, generating doc will be skipped])
+		MANPAGE_DOCBOOK_XSL=
+		have_doc=no
+	fi
+	AM_CONDITIONAL(MANPAGE_DOCBOOK_XSL, test "x$have_doc" = xyes)
+
 	AC_SUBST(MANPAGE_DOCBOOK_XSL)
 ])
-- 
2.28.0

[PATCH ima-evm-utils 4/9] install-swtpm.sh: Ignore certificate for download

[Petr Vorel]

Some distros in Travis CI (e.g. Debian and Ubuntu) have problems with
downloading from sourceforge.net due unknown certificate issuer:

--2020-08-11 14:47:51--  https://sourceforge.net/projects/ibmswtpm2/files/ibmtpm1332.tar.gz/download
Resolving sourceforge.net (sourceforge.net)... 216.105.38.13
Connecting to sourceforge.net (sourceforge.net)|216.105.38.13|:443... connected.
ERROR: The certificate of 'sourceforge.net' is not trusted.
ERROR: The certificate of 'sourceforge.net' doesn't have a known issuer.

This is a preparation for future commit (moving to docker based Travis CI).

Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 tests/install-swtpm.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/install-swtpm.sh b/tests/install-swtpm.sh
index 071e9c9..2afcf17 100755
--- a/tests/install-swtpm.sh
+++ b/tests/install-swtpm.sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 
 set -ex
-wget https://sourceforge.net/projects/ibmswtpm2/files/ibmtpm1332.tar.gz/download
+wget --no-check-certificate https://sourceforge.net/projects/ibmswtpm2/files/ibmtpm1332.tar.gz/download
 mkdir ibmtpm1332
 cd ibmtpm1332
 tar -xvzf ../download
-- 
2.28.0

[PATCH ima-evm-utils 5/9] install-swtpm.sh: Update ibmtpm to version 1637

[Petr Vorel]

Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 tests/install-swtpm.sh | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/tests/install-swtpm.sh b/tests/install-swtpm.sh
index 2afcf17..2d8293a 100755
--- a/tests/install-swtpm.sh
+++ b/tests/install-swtpm.sh
@@ -1,9 +1,11 @@
 #!/bin/sh
-
 set -ex
-wget --no-check-certificate https://sourceforge.net/projects/ibmswtpm2/files/ibmtpm1332.tar.gz/download
-mkdir ibmtpm1332
-cd ibmtpm1332
+
+version=1637
+
+wget --no-check-certificate https://sourceforge.net/projects/ibmswtpm2/files/ibmtpm${version}.tar.gz/download
+mkdir ibmtpm$version
+cd ibmtpm$version
 tar -xvzf ../download
 cd src
 make -j$(nproc)
-- 
2.28.0

[PATCH ima-evm-utils 6/9] Remove install-tpm2-tss.sh

[Petr Vorel]

tpm2-software is being packaged in major distros nowadays.

Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 tests/install-tpm2-tss.sh | 19 -------------------
 1 file changed, 19 deletions(-)
 delete mode 100755 tests/install-tpm2-tss.sh

diff --git a/tests/install-tpm2-tss.sh b/tests/install-tpm2-tss.sh
deleted file mode 100755
index 7a71b57..0000000
--- a/tests/install-tpm2-tss.sh
+++ /dev/null
@@ -1,19 +0,0 @@
-#!/bin/sh
-
-git clone https://github.com/tpm2-software/tpm2-tss.git
-cd tpm2-tss
-./bootstrap
-./configure
-make -j$(nproc)
-sudo make install
-sudo ldconfig
-cd ..
-rm -rf tpm2-tss
-
-git clone https://github.com/tpm2-software/tpm2-tools.git
-cd tpm2-tools
-./bootstrap && ./configure --prefix=/usr
-make -j$(nproc)
-sudo make install
-cd ..
-rm -rf tpm2-tools
-- 
2.28.0

[PATCH ima-evm-utils 7/9] autogen.sh: Cleanup

[Petr Vorel]

m4 directory exists, force parameter is not needed.
Remove commented out "old way".

Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 autogen.sh | 14 +-------------
 1 file changed, 1 insertion(+), 13 deletions(-)

diff --git a/autogen.sh b/autogen.sh
index d01bb43..902f2bc 100755
--- a/autogen.sh
+++ b/autogen.sh
@@ -1,16 +1,4 @@
 #! /bin/sh
-
 set -e
 
-# new way
-# strange, but need this for Makefile.am, because it has -I m4
-test -d m4 || mkdir m4
-autoreconf -f -i
-
-# old way
-#libtoolize --automake --copy --force
-#aclocal
-#autoconf --force
-#autoheader --force
-#automake --add-missing --copy --force-missing --gnu
-
+autoreconf -i
-- 
2.28.0

[PATCH ima-evm-utils 8/9] tests: Require cmp

[Petr Vorel]

cmp is not by default installed on some containers
(unlike other tools e.g. cut, tr from coreutils or grep).

Also cmp implementation from busybox doesn't support -b, thus detect it.

Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 tests/sign_verify.test | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/tests/sign_verify.test b/tests/sign_verify.test
index 118c3f6..4f08bed 100755
--- a/tests/sign_verify.test
+++ b/tests/sign_verify.test
@@ -18,7 +18,14 @@
 cd "$(dirname "$0")" || exit 1
 PATH=../src:$PATH
 source ./functions.sh
-_require evmctl openssl xxd getfattr
+
+_require cmp evmctl getfattr openssl xxd
+
+if cmp -b 2>&1 | grep -q "invalid option"; then
+	echo "cmp does not support -b (cmp from busybox?) Use cmp from diffutils"
+	exit "$HARDFAIL"
+fi
+
 ./gen-keys.sh >/dev/null 2>&1
 
 trap _report_exit EXIT
-- 
2.28.0

[PATCH ima-evm-utils 9/9] travis: Switch to docker based builds

[Petr Vorel]

This requires to have distro specific install scripts and build.sh
script.

For now ibmswtpm2 is compiled just for native builds (depends on gcc,
compiled natively). libtmps/swtpm could be used.

Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 .travis.yml                    | 106 +++++++++++++++++++++++----------
 build.sh                       |  97 ++++++++++++++++++++++++++++++
 travis/alpine.sh               |  50 ++++++++++++++++
 travis/centos.sh               |   1 +
 travis/debian.cross-compile.sh |  23 +++++++
 travis/debian.i386.sh          |  11 ++++
 travis/debian.sh               |  54 +++++++++++++++++
 travis/fedora.sh               |  49 +++++++++++++++
 travis/opensuse.sh             |   1 +
 travis/tumbleweed.sh           |  45 ++++++++++++++
 travis/ubuntu.sh               |   1 +
 11 files changed, 405 insertions(+), 33 deletions(-)
 create mode 100755 build.sh
 create mode 100755 travis/alpine.sh
 create mode 120000 travis/centos.sh
 create mode 100755 travis/debian.cross-compile.sh
 create mode 100755 travis/debian.i386.sh
 create mode 100755 travis/debian.sh
 create mode 100755 travis/fedora.sh
 create mode 120000 travis/opensuse.sh
 create mode 100755 travis/tumbleweed.sh
 create mode 120000 travis/ubuntu.sh

diff --git a/.travis.yml b/.travis.yml
index cdfba49..849fcb6 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,38 +1,78 @@
 dist: bionic
 language: C
-addons:
- apt:
-  packages:
-   - libkeyutils-dev
-   - libattr1-dev
-   - attr
-   - openssl
-   - libssl-dev
-   - asciidoc
-   - xsltproc
-   - docbook-xsl
-   - docbook-xml
+services:
+    - docker
+
 matrix:
-   include:
-     - env: TSS=ibmtss
-     - env: TSS=tpm2-tss
-install:
-   - if [ "${TSS}" = "tpm2-tss" ]; then
-           sudo apt-get install lcov pandoc autoconf-archive liburiparser-dev;
-           sudo apt-get install libdbus-1-dev libglib2.0-dev dbus-x11 libgcrypt-dev;
-           sudo apt-get install libssl-dev doxygen libjson-c-dev;
-           sudo apt-get install libini-config-dev libltdl-dev;
-           sudo apt-get install uuid-dev libcurl4-openssl-dev;
-          ./tests/install-tpm2-tss.sh;
-     fi
-   - ./tests/install-swtpm.sh
-   - ./tests/install-tss.sh
+    include:
+        # 32 bit build
+        - os: linux
+          env: DISTRO=debian:stable VARIANT=i386 ARCH=i386 TSS=tpm2-tss
+          compiler: gcc
 
-script:
-   - export LD_LIBRARY_PATH=/usr/local/lib64:/usr/local/lib;
-   - export PATH=$PATH:/usr/local/bin;
-   - autoreconf -i && ./configure && make -j$(nproc) && sudo make install && VERBOSE=1 make check;
+        # cross compilation builds
+        - os: linux
+          env: DISTRO=debian:stable VARIANT=cross-compile ARCH=ppc64el TSS=ibmtss
+          compiler: powerpc64le-linux-gnu-gcc
+
+        - os: linux
+          env: DISTRO=debian:stable VARIANT=cross-compile ARCH=arm64 TSS=tpm2-tss
+          compiler: aarch64-linux-gnu-gcc
+
+        - os: linux
+          env: DISTRO=debian:stable VARIANT=cross-compile ARCH=s390x TSS=ibmtss
+          compiler: s390x-linux-gnu-gcc
+
+        # musl
+        - os: linux
+          env: DISTRO=alpine:latest TSS=tpm2-tss
+          compiler: gcc
+
+        # glibc (gcc/clang)
+        - os: linux
+          env: DISTRO=opensuse/tumbleweed TSS=ibmtss
+          compiler: clang
+
+        - os: linux
+          env: DISTRO=opensuse/leap TSS=tpm2-tss
+          compiler: gcc
+
+        - os: linux
+          env: DISTRO=ubuntu:eoan TSS=ibmtss
+          compiler: gcc
 
-   - tail -3 tests/ima_hash.log;
-   - tail -3 tests/sign_verify.log;
-   - tail -20 tests/boot_aggregate.log;
+        - os: linux
+          env: DISTRO=ubuntu:xenial TSS=tpm2-tss
+          compiler: clang
+
+        - os: linux
+          env: DISTRO=fedora:latest TSS=ibmtss
+          compiler: clang
+
+        - os: linux
+          env: DISTRO=centos:7 TSS=tpm2-tss
+          compiler: gcc
+
+        - os: linux
+          env: DISTRO=centos:latest TSS=tpm2-tss
+          compiler: clang
+
+        - os: linux
+          env: DISTRO=debian:testing TSS=tpm2-tss
+          compiler: clang
+
+        - os: linux
+          env: DISTRO=debian:stable TSS=ibmtss
+          compiler: gcc
+
+before_install:
+    - df -hT
+    - DIR="/usr/src/ima-evm-utils"
+    - printf "FROM $DISTRO\nRUN mkdir -p $DIR\nWORKDIR $DIR\nCOPY . $DIR\n" > Dockerfile
+    - cat Dockerfile
+    - docker build -t ima-evm-utils .
+
+script:
+    - INSTALL="${DISTRO%%:*}"
+    - INSTALL="${INSTALL%%/*}"
+    - docker run -t ima-evm-utils /bin/sh -c "cd travis && if [ \"$VARIANT\" ]; then ARCH=\"$ARCH\" ./$INSTALL.$VARIANT.sh; fi && ARCH=\"$ARCH\" CC=\"$CC\" TSS=\"$TSS\" ./$INSTALL.sh && if [ ! \"$VARIANT\" ]; then which tpm_server || ../tests/install-swtpm.sh; fi && CC=\"$CC\" VARIANT=\"$VARIANT\" ../build.sh"
diff --git a/build.sh b/build.sh
new file mode 100755
index 0000000..b922fa6
--- /dev/null
+++ b/build.sh
@@ -0,0 +1,97 @@
+#!/bin/sh
+# Copyright (c) 2020 Petr Vorel <pvorel@suse.cz>
+
+set -e
+
+CC="${CC:-gcc}"
+CFLAGS="${CFLAGS:--Wformat -Werror=format-security -Werror=implicit-function-declaration -Werror=return-type -fno-common}"
+PREFIX="${PREFIX:-$HOME/ima-evm-utils-install}"
+
+export LD_LIBRARY_PATH="$PREFIX/lib64:$PREFIX/lib:/usr/local/lib64:/usr/local/lib"
+export PATH="$PREFIX/bin:/usr/local/bin:$PATH"
+
+title()
+{
+	echo "===== $1 ====="
+}
+
+log_exit()
+{
+	local ret="${3:-$?}"
+	local log="$1"
+	local msg="$2"
+	local prefix
+
+	echo "=== $log ==="
+	[ $ret -eq 0 ] || prefix="FAIL: "
+	cat $log
+	echo
+	echo "$prefix$msg, see output of $log above"
+	exit $ret
+}
+
+cd `dirname $0`
+
+case "$VARIANT" in
+	i386)
+		echo "32-bit compilation"
+		export CFLAGS="-m32 $CFLAGS" LDFLAGS="-m32 $LDFLAGS"
+		export PKG_CONFIG_LIBDIR=/usr/lib/i386-linux-gnu/pkgconfig
+		;;
+	cross-compile)
+		host="${CC%-gcc}"
+		export CROSS_COMPILE="${host}-"
+		host="--host=$host"
+		echo "cross compilation: $host"
+		echo "CROSS_COMPILE: '$CROSS_COMPILE'"
+		;;
+	*)
+		if [ "$VARIANT" ]; then
+			echo "Wrong VARIANT: '$VARIANT'" >&2
+			exit 1
+		fi
+		echo "native build"
+		;;
+esac
+
+title "compiler version"
+$CC --version
+echo "CFLAGS: '$CFLAGS'"
+echo "LDFLAGS: '$LDFLAGS'"
+echo "PREFIX: '$PREFIX'"
+
+title "configure"
+./autogen.sh
+./configure --prefix=$PREFIX $host || log_exit config.log "configure failed"
+
+title "make"
+make -j$(nproc)
+make install
+
+title "test"
+if [ "$VARIANT" = "cross-compile" ]; then
+	echo "skip make check on cross compilation"
+	exit 0
+fi
+
+ret=0
+VERBOSE=1 make check || ret=$?
+
+title "logs"
+if [ $ret -eq 0 ]; then
+	tail -3 tests/ima_hash.log
+	tail -3 tests/sign_verify.log
+	tail -20 tests/boot_aggregate.log
+	exit 0
+fi
+
+cat tests/test-suite.log
+
+if [ $ret -eq 77 ]; then
+	msg="WARN: some tests skipped"
+	ret=0
+else
+	msg="FAIL: tests exited: $ret"
+fi
+
+log_exit tests/test-suite.log "$msg" $ret
diff --git a/travis/alpine.sh b/travis/alpine.sh
new file mode 100755
index 0000000..63d7954
--- /dev/null
+++ b/travis/alpine.sh
@@ -0,0 +1,50 @@
+#!/bin/sh
+# Copyright (c) 2020 Petr Vorel <pvorel@suse.cz>
+set -ex
+
+if [ -z "$CC" ]; then
+	echo "missing \$CC!" >&2
+	exit 1
+fi
+
+case "$TSS" in
+ibmtss) echo "No IBM TSS package, will be installed from git" >&2; TSS=;;
+tpm2-tss) TSS="tpm2-tss-dev";;
+'') echo "Missing TSS!" >&2; exit 1;;
+*) echo "Unsupported TSS: '$TSS'!" >&2; exit 1;;
+esac
+
+# ibmswtpm2 requires gcc
+[ "$CC" = "gcc" ] || CC="gcc $CC"
+
+apk update
+
+apk add \
+	$CC $TSS \
+	asciidoc \
+	attr \
+	attr-dev \
+	autoconf \
+	automake \
+	diffutils \
+	docbook-xml \
+	docbook-xsl \
+	keyutils-dev \
+	libtool \
+	libxslt \
+	linux-headers \
+	make \
+	musl-dev \
+	openssl \
+	openssl-dev \
+	pkgconfig \
+	procps \
+	sudo \
+	wget \
+	which \
+	xxd
+
+if [ ! "$TSS" ]; then
+	apk add git
+	../tests/install-tss.sh
+fi
diff --git a/travis/centos.sh b/travis/centos.sh
new file mode 120000
index 0000000..1479a43
--- /dev/null
+++ b/travis/centos.sh
@@ -0,0 +1 @@
+fedora.sh
\ No newline at end of file
diff --git a/travis/debian.cross-compile.sh b/travis/debian.cross-compile.sh
new file mode 100755
index 0000000..5456d12
--- /dev/null
+++ b/travis/debian.cross-compile.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+# Copyright (c) 2020 Petr Vorel <pvorel@suse.cz>
+set -ex
+
+if [ -z "$ARCH" ]; then
+	echo "missing \$ARCH!" >&2
+	exit 1
+fi
+
+case "$ARCH" in
+arm64) gcc_arch="aarch64";;
+ppc64el) gcc_arch="powerpc64le";;
+s390x) gcc_arch="$ARCH";;
+*) echo "unsupported arch: '$ARCH'!" >&2; exit 1;;
+esac
+
+dpkg --add-architecture $ARCH
+apt update
+
+apt install -y --no-install-recommends \
+	dpkg-dev \
+	gcc-${gcc_arch}-linux-gnu \
+	libc6-dev-${ARCH}-cross
diff --git a/travis/debian.i386.sh b/travis/debian.i386.sh
new file mode 100755
index 0000000..1cad06e
--- /dev/null
+++ b/travis/debian.i386.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+# Copyright (c) 2020 Petr Vorel <pvorel@suse.cz>
+set -ex
+
+dpkg --add-architecture i386
+apt update
+
+apt install -y --no-install-recommends \
+	linux-libc-dev:i386 \
+	gcc-multilib \
+	pkg-config:i386
diff --git a/travis/debian.sh b/travis/debian.sh
new file mode 100755
index 0000000..ad7d2c0
--- /dev/null
+++ b/travis/debian.sh
@@ -0,0 +1,54 @@
+#!/bin/sh
+# Copyright (c) 2020 Petr Vorel <pvorel@suse.cz>
+set -ex
+
+if [ -z "$CC" ]; then
+	echo "missing \$CC!" >&2
+	exit 1
+fi
+
+# debian.*.sh must be run first
+if [ "$ARCH" ]; then
+	ARCH=":$ARCH"
+	unset CC
+else
+	apt update
+fi
+
+# ibmswtpm2 requires gcc
+[ "$CC" = "gcc" ] || CC="gcc $CC"
+
+case "$TSS" in
+ibmtss) TSS="libtss-dev";;
+tpm2-tss) TSS="libtss2-dev";;
+'') echo "Missing TSS!" >&2; exit 1;;
+*) [ "$TSS" ] && echo "Unsupported TSS: '$TSS'!" >&2; exit 1;;
+esac
+
+apt="apt install -y --no-install-recommends"
+
+$apt \
+	$CC $TSS \
+	asciidoc \
+	attr \
+	autoconf \
+	automake \
+	diffutils \
+	debianutils \
+	docbook-xml \
+	docbook-xsl \
+	gzip \
+	libattr1-dev$ARCH \
+	libkeyutils-dev$ARCH \
+	libssl-dev$ARCH \
+	libtool \
+	make \
+	openssl \
+	pkg-config \
+	procps \
+	sudo \
+	wget \
+	xsltproc \
+
+$apt xxd || $apt vim-common
+$apt libengine-gost-openssl1.1$ARCH || true
diff --git a/travis/fedora.sh b/travis/fedora.sh
new file mode 100755
index 0000000..d3459e4
--- /dev/null
+++ b/travis/fedora.sh
@@ -0,0 +1,49 @@
+#!/bin/sh
+# Copyright (c) 2020 Petr Vorel <pvorel@suse.cz>
+set -e
+
+if [ -z "$CC" ]; then
+	echo "missing \$CC!" >&2
+	exit 1
+fi
+
+case "$TSS" in
+ibmtss) TSS="tss2-devel";;
+tpm2-tss) TSS="tpm2-tss-devel";;
+'') echo "Missing TSS!" >&2; exit 1;;
+*) echo "Unsupported TSS: '$TSS'!" >&2; exit 1;;
+esac
+
+# ibmswtpm2 requires gcc
+[ "$CC" = "gcc" ] || CC="gcc $CC"
+
+yum -y install \
+	$CC $TSS \
+	asciidoc \
+	attr \
+	autoconf \
+	automake \
+	diffutils \
+	docbook-xsl \
+	gzip \
+	keyutils-libs-devel \
+	libattr-devel \
+	libtool \
+	libxslt \
+	make \
+	openssl \
+	openssl-devel \
+	pkg-config \
+	procps \
+	sudo \
+	vim-common \
+	wget \
+	which
+
+yum -y install docbook5-style-xsl || true
+
+# FIXME: debug
+echo "find /tss2_esys.h"
+find /usr/ 2>/dev/null |grep /tss2_esys.h || true
+echo "cat /usr/include/tss2/tss2_esys.h"
+cat /usr/include/tss2/tss2_esys.h || true
diff --git a/travis/opensuse.sh b/travis/opensuse.sh
new file mode 120000
index 0000000..11c5f4b
--- /dev/null
+++ b/travis/opensuse.sh
@@ -0,0 +1 @@
+tumbleweed.sh
\ No newline at end of file
diff --git a/travis/tumbleweed.sh b/travis/tumbleweed.sh
new file mode 100755
index 0000000..ec4dc43
--- /dev/null
+++ b/travis/tumbleweed.sh
@@ -0,0 +1,45 @@
+#!/bin/sh
+# Copyright (c) 2020 Petr Vorel <pvorel@suse.cz>
+set -ex
+
+if [ -z "$CC" ]; then
+	echo "missing \$CC!" >&2
+	exit 1
+fi
+
+case "$TSS" in
+ibmtss) TSS="ibmtss-devel";;
+tpm2-tss) TSS="tpm2-0-tss-devel";;
+'') echo "Missing TSS!" >&2; exit 1;;
+*) echo "Unsupported TSS: '$TSS'!" >&2; exit 1;;
+esac
+
+# clang has some gcc dependency
+[ "$CC" = "gcc" ] || CC="gcc $CC"
+
+zypper --non-interactive install --force-resolution --no-recommends \
+	$CC $TSS \
+	asciidoc \
+	attr \
+	autoconf \
+	automake \
+	diffutils \
+	docbook_5 \
+	docbook5-xsl-stylesheets \
+	gzip \
+	ibmswtpm2 \
+	keyutils-devel \
+	libattr-devel \
+	libopenssl-devel \
+	libtool \
+	make \
+	openssl \
+	pkg-config \
+	procps \
+	sudo \
+	vim \
+	wget \
+	which \
+	xsltproc
+
+[ -f /usr/lib/ibmtss/tpm_server ] && ln -s /usr/lib/ibmtss/tpm_server /usr/local/bin
diff --git a/travis/ubuntu.sh b/travis/ubuntu.sh
new file mode 120000
index 0000000..0edcb8b
--- /dev/null
+++ b/travis/ubuntu.sh
@@ -0,0 +1 @@
+debian.sh
\ No newline at end of file
-- 
2.28.0

Re: [PATCH ima-evm-utils 9/9] travis: Switch to docker based builds

[Mimi Zohar]

On Thu, 2020-08-13 at 20:25 +0200, Petr Vorel wrote:
> This requires to have distro specific install scripts and build.sh
> script.
> 
> For now ibmswtpm2 is compiled just for native builds (depends on gcc,
> compiled natively). libtmps/swtpm could be used.

Note:  in addition to installing a software TPM, the software TPM PCRs
needs to be initialized based on the TPM event log.  For now there is a
dependency on "tsseventextend" to walk the TPM event log extending the
software TPM PCRs in order to validate the "boot_aggregate".   Without
either a software TPM or "tsseventextend" installed, the
"boot_aggregate.test" will be skipped.

Mimi

Re: [PATCH ima-evm-utils 9/9] travis: Switch to docker based builds

[Petr Vorel]

Hi Mimi,

I'm sorry I left debugging code in travis/fedora.sh.

> --- /dev/null
> +++ b/travis/fedora.sh
> @@ -0,0 +1,49 @@
> +#!/bin/sh
> +# Copyright (c) 2020 Petr Vorel <pvorel@suse.cz>
> +set -e
> +
> +if [ -z "$CC" ]; then
> +	echo "missing \$CC!" >&2
> +	exit 1
> +fi
> +
> +case "$TSS" in
> +ibmtss) TSS="tss2-devel";;
> +tpm2-tss) TSS="tpm2-tss-devel";;
> +'') echo "Missing TSS!" >&2; exit 1;;
> +*) echo "Unsupported TSS: '$TSS'!" >&2; exit 1;;
> +esac
> +
> +# ibmswtpm2 requires gcc
> +[ "$CC" = "gcc" ] || CC="gcc $CC"
> +
> +yum -y install \
> +	$CC $TSS \
> +	asciidoc \
> +	attr \
> +	autoconf \
> +	automake \
> +	diffutils \
> +	docbook-xsl \
> +	gzip \
> +	keyutils-libs-devel \
> +	libattr-devel \
> +	libtool \
> +	libxslt \
> +	make \
> +	openssl \
> +	openssl-devel \
> +	pkg-config \
> +	procps \
> +	sudo \
> +	vim-common \
> +	wget \
> +	which
> +
> +yum -y install docbook5-style-xsl || true

These lines below needs to be removed.
> +
> +# FIXME: debug
> +echo "find /tss2_esys.h"
> +find /usr/ 2>/dev/null |grep /tss2_esys.h || true
> +echo "cat /usr/include/tss2/tss2_esys.h"
> +cat /usr/include/tss2/tss2_esys.h || true

Kind regards,
Petr

Re: [PATCH ima-evm-utils 9/9] travis: Switch to docker based builds

[Bruno Meneguele]

[-- Attachment #1: Type: text/plain, Size: 1619 bytes --]

On Mon, Aug 17, 2020 at 10:04:51AM +0200, Petr Vorel wrote:
> Hi Mimi,
> 
> I'm sorry I left debugging code in travis/fedora.sh.
> 
> > --- /dev/null
> > +++ b/travis/fedora.sh
> > @@ -0,0 +1,49 @@
> > +#!/bin/sh
> > +# Copyright (c) 2020 Petr Vorel <pvorel@suse.cz>
> > +set -e
> > +
> > +if [ -z "$CC" ]; then
> > +	echo "missing \$CC!" >&2
> > +	exit 1
> > +fi
> > +
> > +case "$TSS" in
> > +ibmtss) TSS="tss2-devel";;

Unfortunately tss2 is only shipped for ppc64 today on CentOS. But there
are plans to enable it to all other supported arches soon.

> > +tpm2-tss) TSS="tpm2-tss-devel";;
> > +'') echo "Missing TSS!" >&2; exit 1;;
> > +*) echo "Unsupported TSS: '$TSS'!" >&2; exit 1;;
> > +esac
> > +
> > +# ibmswtpm2 requires gcc
> > +[ "$CC" = "gcc" ] || CC="gcc $CC"
> > +
> > +yum -y install \
> > +	$CC $TSS \
> > +	asciidoc \
> > +	attr \
> > +	autoconf \
> > +	automake \
> > +	diffutils \
> > +	docbook-xsl \
> > +	gzip \
> > +	keyutils-libs-devel \
> > +	libattr-devel \
> > +	libtool \
> > +	libxslt \
> > +	make \
> > +	openssl \
> > +	openssl-devel \
> > +	pkg-config \
> > +	procps \
> > +	sudo \
> > +	vim-common \
> > +	wget \
> > +	which
> > +
> > +yum -y install docbook5-style-xsl || true
> 
> These lines below needs to be removed.

+1

> > +
> > +# FIXME: debug
> > +echo "find /tss2_esys.h"
> > +find /usr/ 2>/dev/null |grep /tss2_esys.h || true
> > +echo "cat /usr/include/tss2/tss2_esys.h"
> > +cat /usr/include/tss2/tss2_esys.h || true
> 
> Kind regards,
> Petr
> 

-- 
bmeneg 
PGP Key: http://bmeneg.com/pubkey.txt

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [PATCH ima-evm-utils 0/9] Docker based Travis CI builds

[Bruno Meneguele]

[-- Attachment #1: Type: text/plain, Size: 2580 bytes --]

On Thu, Aug 13, 2020 at 08:25:23PM +0200, Petr Vorel wrote:
> Hi,
> 
> we talked about Docker based Travis CI builds.
> Here they are [1]. Working on it revealed few bugs, that's why they're
> included.
> 
> I've resent 2 commits ("man:" prefix).
> 
> I haven't addressed Mimi's suggestion to replace ibmswtpm2 with libtmps/swtpm [2].
> 
> Kind regards,
> Petr
> 
> [1] https://travis-ci.org/github/pevik/ima-evm-utils/builds/717681733
> [2] https://github.com/stefanberger/swtpm/wiki/Using-the-IBM-TSS-with-swtpm
> 
> Petr Vorel (9):
>   configure: Fix tss2-esys check
>   man: Fix xmlcatalog path detection
>   man: Generate doc targets only when XSL found
>   install-swtpm.sh: Ignore certificate for download
>   install-swtpm.sh: Update ibmtpm to version 1637
>   Remove install-tpm2-tss.sh
>   autogen.sh: Cleanup
>   tests: Require cmp
>   travis: Switch to docker based builds
> 
>  .travis.yml                    | 106 +++++++++++++++++++++++----------
>  Makefile.am                    |   4 ++
>  autogen.sh                     |  14 +----
>  build.sh                       |  97 ++++++++++++++++++++++++++++++
>  configure.ac                   |   7 ++-
>  m4/manpage-docbook-xsl.m4      |  38 +++++++++---
>  tests/install-swtpm.sh         |  10 ++--
>  tests/install-tpm2-tss.sh      |  19 ------
>  tests/sign_verify.test         |   9 ++-
>  travis/alpine.sh               |  50 ++++++++++++++++
>  travis/centos.sh               |   1 +
>  travis/debian.cross-compile.sh |  23 +++++++
>  travis/debian.i386.sh          |  11 ++++
>  travis/debian.sh               |  54 +++++++++++++++++
>  travis/fedora.sh               |  49 +++++++++++++++
>  travis/opensuse.sh             |   1 +
>  travis/tumbleweed.sh           |  45 ++++++++++++++
>  travis/ubuntu.sh               |   1 +
>  18 files changed, 457 insertions(+), 82 deletions(-)
>  create mode 100755 build.sh
>  delete mode 100755 tests/install-tpm2-tss.sh
>  create mode 100755 travis/alpine.sh
>  create mode 120000 travis/centos.sh
>  create mode 100755 travis/debian.cross-compile.sh
>  create mode 100755 travis/debian.i386.sh
>  create mode 100755 travis/debian.sh
>  create mode 100755 travis/fedora.sh
>  create mode 120000 travis/opensuse.sh
>  create mode 100755 travis/tumbleweed.sh
>  create mode 120000 travis/ubuntu.sh
> 
> -- 
> 2.28.0
> 

I've tested it in both Fedora and CentOS 8 (RHEL actually).

Reviewed-by: Bruno Meneguele <bmeneg@redhat.com>

Thanks Petr.

-- 
bmeneg 
PGP Key: http://bmeneg.com/pubkey.txt

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [PATCH ima-evm-utils 9/9] travis: Switch to docker based builds

[Petr Vorel]

Hi Bruno,

> On Mon, Aug 17, 2020 at 10:04:51AM +0200, Petr Vorel wrote:
> > Hi Mimi,

> > I'm sorry I left debugging code in travis/fedora.sh.

> > > --- /dev/null
> > > +++ b/travis/fedora.sh
> > > @@ -0,0 +1,49 @@
> > > +#!/bin/sh
> > > +# Copyright (c) 2020 Petr Vorel <pvorel@suse.cz>
> > > +set -e
> > > +
> > > +if [ -z "$CC" ]; then
> > > +	echo "missing \$CC!" >&2
> > > +	exit 1
> > > +fi
> > > +
> > > +case "$TSS" in
> > > +ibmtss) TSS="tss2-devel";;

> Unfortunately tss2 is only shipped for ppc64 today on CentOS. But there
> are plans to enable it to all other supported arches soon.

I'm sorry I haven't noticed that they're not installed on intel.
Hope they'll fix it soon.

Thanks for testing!

Kind regards,
Petr

> > > +tpm2-tss) TSS="tpm2-tss-devel";;
> > > +'') echo "Missing TSS!" >&2; exit 1;;
> > > +*) echo "Unsupported TSS: '$TSS'!" >&2; exit 1;;
> > > +esac
...

Re: [PATCH ima-evm-utils 0/9] Docker based Travis CI builds

[Mimi Zohar]

Hi Petr,

On Thu, 2020-08-13 at 20:25 +0200, Petr Vorel wrote:
> Hi,
> 
> we talked about Docker based Travis CI builds.
> Here they are [1]. Working on it revealed few bugs, that's why they're
> included.
> 
> I've resent 2 commits ("man:" prefix).
> 
> I haven't addressed Mimi's suggestion to replace ibmswtpm2 with libtmps/swtpm [2].

To summarize:
- Add libtpms/swtpm support
- Remove debugging from travis/fedora.sh 
- CentOS tss & tss2-devel issues
- Petr todo's comment:
  * add pgrep and pkill to _require (fix of a different commit)
  * add magic constant 114 to exit codes (in tests/functions.sh)
  * I'd like reuse exit codes in build.sh. I could source tests/functions.sh (they
    look to be general enough, just I didn't like script in root directory depending
    on it, as it's general enough for build without testing) have these constants in
    separate file.

swtpm: patch was posted, reviewed, and fixed.

CentOS: Our internal Travis on ppc64 is installing both tpm2-tss-2.0.0-
4.el8.x86_64.rpm and tpm2-tss-devel-2.0.0-4.el8.x86_64.rpm on CentOS. 
In general, the "boot_aggregate.test" is only run if both a software
TPM and the tsseventextend exist.  If either one of them are missing,
the test is skipped.  For CentOS on x86, the "boot_aggregate" would be
skipped.

Left is Petr's "todo's" comment.  Petr, would these be additional
patches on top of the existing ones or were you planning on re-posting
them?   If these are additional patches, I can remove the debugging
from travis/fedora.sh in patch 9/9.  Please let me know how you want to
go forward.

thanks,

Mimi

Re: [PATCH ima-evm-utils 0/9] Docker based Travis CI builds

[Petr Vorel]

Hi Mimi,

> Hi Petr,

> On Thu, 2020-08-13 at 20:25 +0200, Petr Vorel wrote:
> > Hi,

> > we talked about Docker based Travis CI builds.
> > Here they are [1]. Working on it revealed few bugs, that's why they're
> > included.

> > I've resent 2 commits ("man:" prefix).

> > I haven't addressed Mimi's suggestion to replace ibmswtpm2 with libtmps/swtpm [2].

> To summarize:
> - Add libtpms/swtpm support
> - Remove debugging from travis/fedora.sh 
> - CentOS tss & tss2-devel issues
> - Petr todo's comment:
>   * add pgrep and pkill to _require (fix of a different commit)
>   * add magic constant 114 to exit codes (in tests/functions.sh)
>   * I'd like reuse exit codes in build.sh. I could source tests/functions.sh (they
>     look to be general enough, just I didn't like script in root directory depending
>     on it, as it's general enough for build without testing) have these constants in
>     separate file.

> swtpm: patch was posted, reviewed, and fixed.
Great.

> CentOS: Our internal Travis on ppc64 is installing both tpm2-tss-2.0.0-
> 4.el8.x86_64.rpm and tpm2-tss-devel-2.0.0-4.el8.x86_64.rpm on CentOS. 
> In general, the "boot_aggregate.test" is only run if both a software
> TPM and the tsseventextend exist.  If either one of them are missing,
> the test is skipped.  For CentOS on x86, the "boot_aggregate" would be
> skipped.
Great. BTW it'd be nice to have native non-intel builds instead of
cross-compilation. But, they're constantly broken on Travis CI, that's why I
didn't implement it (I've been testing ppc64le and s390x for several months).

> Left is Petr's "todo's" comment.  Petr, would these be additional
> patches on top of the existing ones or were you planning on re-posting
> them?   If these are additional patches, I can remove the debugging
> from travis/fedora.sh in patch 9/9.  Please let me know how you want to
> go forward.
Please, remove the debugging from travis/fedora.sh, I'll send additional patch.

Kind regards,
Petr

Re: [PATCH ima-evm-utils 0/9] Docker based Travis CI builds

[Mimi Zohar]

On Wed, 2020-08-19 at 07:14 +0200, Petr Vorel wrote:
> Hi Mimi,
> 
> > Hi Petr,
> > On Thu, 2020-08-13 at 20:25 +0200, Petr Vorel wrote:
> > > Hi,
> > > we talked about Docker based Travis CI builds.
> > > Here they are [1]. Working on it revealed few bugs, that's why they're
> > > included.
> > > I've resent 2 commits ("man:" prefix).
> > > I haven't addressed Mimi's suggestion to replace ibmswtpm2 with libtmps/swtpm [2].
> > To summarize:
> > - Add libtpms/swtpm support
> > - Remove debugging from travis/fedora.sh 
> > - CentOS tss & tss2-devel issues
> > - Petr todo's comment:
> >   * add pgrep and pkill to _require (fix of a different commit)
> >   * add magic constant 114 to exit codes (in tests/functions.sh)
> >   * I'd like reuse exit codes in build.sh. I could source tests/functions.sh (they
> >     look to be general enough, just I didn't like script in root directory depending
> >     on it, as it's general enough for build without testing) have these constants in
> >     separate file.
> > swtpm: patch was posted, reviewed, and fixed.
> Great.
> 
> > CentOS: Our internal Travis on ppc64 is installing both tpm2-tss-2.0.0-
> > 4.el8.x86_64.rpm and tpm2-tss-devel-2.0.0-4.el8.x86_64.rpm on CentOS. 
> > In general, the "boot_aggregate.test" is only run if both a software
> > TPM and the tsseventextend exist.  If either one of them are missing,
> > the test is skipped.  For CentOS on x86, the "boot_aggregate" would be
> > skipped.
> Great. BTW it'd be nice to have native non-intel builds instead of
> cross-compilation. But, they're constantly broken on Travis CI, that's why I
> didn't implement it (I've been testing ppc64le and s390x for several months).

Thank you!

> 
> > Left is Petr's "todo's" comment.  Petr, would these be additional
> > patches on top of the existing ones or were you planning on re-posting
> > them?   If these are additional patches, I can remove the debugging
> > from travis/fedora.sh in patch 9/9.  Please let me know how you want to
> > go forward.
> Please, remove the debugging from travis/fedora.sh, I'll send additional patch.

Done.  The travis branch is now in next-testing.

thanks!

Mimi

Re: [PATCH ima-evm-utils 0/9] Docker based Travis CI builds

[George Wilson]

On Wed, Aug 19, 2020 at 10:37:23AM -0400, Mimi Zohar wrote:
> On Wed, 2020-08-19 at 07:14 +0200, Petr Vorel wrote:
> > Hi Mimi,
> > 
> > > Hi Petr,
> > > On Thu, 2020-08-13 at 20:25 +0200, Petr Vorel wrote:
> > > > Hi,
> > > > we talked about Docker based Travis CI builds.
> > > > Here they are [1]. Working on it revealed few bugs, that's why they're
> > > > included.
> > > > I've resent 2 commits ("man:" prefix).
> > > > I haven't addressed Mimi's suggestion to replace ibmswtpm2 with libtmps/swtpm [2].
> > > To summarize:
> > > - Add libtpms/swtpm support
> > > - Remove debugging from travis/fedora.sh 
> > > - CentOS tss & tss2-devel issues
> > > - Petr todo's comment:
> > >   * add pgrep and pkill to _require (fix of a different commit)
> > >   * add magic constant 114 to exit codes (in tests/functions.sh)
> > >   * I'd like reuse exit codes in build.sh. I could source tests/functions.sh (they
> > >     look to be general enough, just I didn't like script in root directory depending
> > >     on it, as it's general enough for build without testing) have these constants in
> > >     separate file.
> > > swtpm: patch was posted, reviewed, and fixed.
> > Great.
> > 
> > > CentOS: Our internal Travis on ppc64 is installing both tpm2-tss-2.0.0-
> > > 4.el8.x86_64.rpm and tpm2-tss-devel-2.0.0-4.el8.x86_64.rpm on CentOS. 
> > > In general, the "boot_aggregate.test" is only run if both a software
> > > TPM and the tsseventextend exist.  If either one of them are missing,
> > > the test is skipped.  For CentOS on x86, the "boot_aggregate" would be
> > > skipped.
> > Great. BTW it'd be nice to have native non-intel builds instead of
> > cross-compilation. But, they're constantly broken on Travis CI, that's why I
> > didn't implement it (I've been testing ppc64le and s390x for several months).
> 
> Thank you!

Hi Petr,

Being under the IBM Power organization, I'd like to add my thanks for testing on
ppc64!

> 
> > 
> > > Left is Petr's "todo's" comment.  Petr, would these be additional
> > > patches on top of the existing ones or were you planning on re-posting
> > > them?   If these are additional patches, I can remove the debugging
> > > from travis/fedora.sh in patch 9/9.  Please let me know how you want to
> > > go forward.
> > Please, remove the debugging from travis/fedora.sh, I'll send additional patch.
> 
> Done.  The travis branch is now in next-testing.
> 
> thanks!
> 
> Mimi
> 
> 
> 

-- 
George Wilson
IBM Linux Technology Center
Security Development