linux-integrity.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [ima-evm-utils: PATCH 0/5] initial travis support
@ 2020-07-31 18:24 Mimi Zohar
  2020-07-31 18:24 ` [ima-evm-utils: PATCH 1/5] ima-evm-utils: travis: define travis.yml Mimi Zohar
                   ` (5 more replies)
  0 siblings, 6 replies; 41+ messages in thread
From: Mimi Zohar @ 2020-07-31 18:24 UTC (permalink / raw)
  To: linux-integrity; +Cc: Mimi Zohar, Petr Vorel, Vitaly Chikunov, Bruno Meneguele

Support for multiple TSS and crypto libraries resulted in needing to
test different software package combinations.  Although this is a
first attempt at using travis matrix, I've been asked to include the
travis.yml file in the git repo.  Before doing so, I'd appreciate
some sort of review.

thanks,

Mimi

Mimi Zohar (5):
  ima-evm-utils: travis: define travis.yml
  ima-evm-utils: travis: download, compile, and install a swTPM
  ima-evm-utils: travis: dependency on TSS for initializing software TPM
  ima-evm-utils: travis: support tpm2-tss
  ima-evm-utils: travis: openssl gost engine

 .travis.yml                  | 44 ++++++++++++++++++++++++++++++++++++
 tests/install-gost-engine.sh | 10 ++++++++
 tests/install-swtpm.sh       | 11 +++++++++
 tests/install-tpm2-tss.sh    | 19 ++++++++++++++++
 tests/install-tss.sh         |  8 +++++++
 5 files changed, 92 insertions(+)
 create mode 100644 .travis.yml
 create mode 100755 tests/install-gost-engine.sh
 create mode 100755 tests/install-swtpm.sh
 create mode 100755 tests/install-tpm2-tss.sh
 create mode 100755 tests/install-tss.sh

-- 
2.18.4


^ permalink raw reply	[flat|nested] 41+ messages in thread

* [ima-evm-utils: PATCH 1/5] ima-evm-utils: travis: define travis.yml
  2020-07-31 18:24 [ima-evm-utils: PATCH 0/5] initial travis support Mimi Zohar
@ 2020-07-31 18:24 ` Mimi Zohar
  2020-07-31 18:24 ` [ima-evm-utils: PATCH 2/5] ima-evm-utils: travis: download, compile, and install a swTPM Mimi Zohar
                   ` (4 subsequent siblings)
  5 siblings, 0 replies; 41+ messages in thread
From: Mimi Zohar @ 2020-07-31 18:24 UTC (permalink / raw)
  To: linux-integrity
  Cc: Mimi Zohar, Petr Vorel, Vitaly Chikunov, Bruno Meneguele, Mimi Zohar

Initial travis.yml file without the "boot_aggregate" test.

Signed-off-by: Mimi Zohar <zoahr@linux.ibm.com>
---
 .travis.yml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 .travis.yml

diff --git a/.travis.yml b/.travis.yml
new file mode 100644
index 000000000000..bf287898221e
--- /dev/null
+++ b/.travis.yml
@@ -0,0 +1,18 @@
+language: C
+addons:
+ apt:
+  packages:
+   - libkeyutils-dev
+   - libattr1-dev
+   - attr
+   - openssl
+   - libssl-dev
+   - asciidoc
+   - xsltproc
+   - docbook-xsl
+   - docbook-xml
+script:
+   - autoreconf -i && ./configure && make -j$(nproc) && sudo make install && VERBOSE=1 make check TESTS="ima_hash.test sign_verify.test";
+
+   - tail -3 tests/ima_hash.log;
+   - tail -3 tests/sign_verify.log;
-- 
2.18.4


^ permalink raw reply related	[flat|nested] 41+ messages in thread

* [ima-evm-utils: PATCH 2/5] ima-evm-utils: travis: download, compile, and install a swTPM
  2020-07-31 18:24 [ima-evm-utils: PATCH 0/5] initial travis support Mimi Zohar
  2020-07-31 18:24 ` [ima-evm-utils: PATCH 1/5] ima-evm-utils: travis: define travis.yml Mimi Zohar
@ 2020-07-31 18:24 ` Mimi Zohar
  2020-07-31 18:24 ` [ima-evm-utils: PATCH 3/5] ima-evm-utils: travis: dependency on TSS for initializing software TPM Mimi Zohar
                   ` (3 subsequent siblings)
  5 siblings, 0 replies; 41+ messages in thread
From: Mimi Zohar @ 2020-07-31 18:24 UTC (permalink / raw)
  To: linux-integrity; +Cc: Mimi Zohar, Petr Vorel, Vitaly Chikunov, Bruno Meneguele

Verifying the "boot_aggregate" requires reading the TPM PCRs for each of
the TPM banks.  In test environments without a physical TPM, a software
TPM may be used.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 .travis.yml            |  2 ++
 tests/install-swtpm.sh | 11 +++++++++++
 2 files changed, 13 insertions(+)
 create mode 100755 tests/install-swtpm.sh

diff --git a/.travis.yml b/.travis.yml
index bf287898221e..fa2a37625d52 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -11,6 +11,8 @@ addons:
    - xsltproc
    - docbook-xsl
    - docbook-xml
+install:
+   - ./tests/install-swtpm.sh
 script:
    - autoreconf -i && ./configure && make -j$(nproc) && sudo make install && VERBOSE=1 make check TESTS="ima_hash.test sign_verify.test";
 
diff --git a/tests/install-swtpm.sh b/tests/install-swtpm.sh
new file mode 100755
index 000000000000..071e9c9ae442
--- /dev/null
+++ b/tests/install-swtpm.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+set -ex
+wget https://sourceforge.net/projects/ibmswtpm2/files/ibmtpm1332.tar.gz/download
+mkdir ibmtpm1332
+cd ibmtpm1332
+tar -xvzf ../download
+cd src
+make -j$(nproc)
+sudo cp tpm_server /usr/local/bin/
+cd ../..
-- 
2.18.4


^ permalink raw reply related	[flat|nested] 41+ messages in thread

* [ima-evm-utils: PATCH 3/5] ima-evm-utils: travis: dependency on TSS for initializing software TPM
  2020-07-31 18:24 [ima-evm-utils: PATCH 0/5] initial travis support Mimi Zohar
  2020-07-31 18:24 ` [ima-evm-utils: PATCH 1/5] ima-evm-utils: travis: define travis.yml Mimi Zohar
  2020-07-31 18:24 ` [ima-evm-utils: PATCH 2/5] ima-evm-utils: travis: download, compile, and install a swTPM Mimi Zohar
@ 2020-07-31 18:24 ` Mimi Zohar
  2020-07-31 18:24 ` [ima-evm-utils: PATCH 4/5] ima-evm-utils: travis: support tpm2-tss Mimi Zohar
                   ` (2 subsequent siblings)
  5 siblings, 0 replies; 41+ messages in thread
From: Mimi Zohar @ 2020-07-31 18:24 UTC (permalink / raw)
  To: linux-integrity; +Cc: Mimi Zohar, Petr Vorel, Vitaly Chikunov, Bruno Meneguele

Verifying the "boot_aggregate" requires reading the TPM PCRs for each of
the TPM banks.  In test environments without a physical TPM, a software
TPM may be used, but requires initializing the TPM PCRs.  By walking and
replaying the TPM event log, a software TPM may be properly initialized.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 .travis.yml          | 4 +++-
 tests/install-tss.sh | 8 ++++++++
 2 files changed, 11 insertions(+), 1 deletion(-)
 create mode 100755 tests/install-tss.sh

diff --git a/.travis.yml b/.travis.yml
index fa2a37625d52..0a3476572f74 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -13,8 +13,10 @@ addons:
    - docbook-xml
 install:
    - ./tests/install-swtpm.sh
+   - ./tests/install-tss.sh
 script:
-   - autoreconf -i && ./configure && make -j$(nproc) && sudo make install && VERBOSE=1 make check TESTS="ima_hash.test sign_verify.test";
+   - autoreconf -i && ./configure && make -j$(nproc) && sudo make install && VERBOSE=1 make check;
 
    - tail -3 tests/ima_hash.log;
    - tail -3 tests/sign_verify.log;
+   - tail -3 tests/boot_aggregate.log;
diff --git a/tests/install-tss.sh b/tests/install-tss.sh
new file mode 100755
index 000000000000..c9c179eee6a8
--- /dev/null
+++ b/tests/install-tss.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+set -ex
+git clone https://git.code.sf.net/p/ibmtpm20tss/tss
+cd tss
+autoreconf -i && ./configure --disable-tpm-1.2 --disable-hwtpm && make -j$(nproc) && sudo make install
+cd ..
+rm -rf tss
-- 
2.18.4


^ permalink raw reply related	[flat|nested] 41+ messages in thread

* [ima-evm-utils: PATCH 4/5] ima-evm-utils: travis: support tpm2-tss
  2020-07-31 18:24 [ima-evm-utils: PATCH 0/5] initial travis support Mimi Zohar
                   ` (2 preceding siblings ...)
  2020-07-31 18:24 ` [ima-evm-utils: PATCH 3/5] ima-evm-utils: travis: dependency on TSS for initializing software TPM Mimi Zohar
@ 2020-07-31 18:24 ` Mimi Zohar
  2020-07-31 18:24 ` [ima-evm-utils: PATCH 5/5] ima-evm-utils: travis: openssl gost engine Mimi Zohar
  2020-07-31 20:19 ` [ima-evm-utils: PATCH 0/5] initial travis support Petr Vorel
  5 siblings, 0 replies; 41+ messages in thread
From: Mimi Zohar @ 2020-07-31 18:24 UTC (permalink / raw)
  To: linux-integrity; +Cc: Mimi Zohar, Petr Vorel, Vitaly Chikunov, Bruno Meneguele

Running the "boot_aggregate" test without a physical TPM, requires
installing and initializing a software TPM.  For now, use the same
method of initializing the TPM, based on the IBM tss, for both the
IBM and Intel's tss.

Build both the IBM and INTEL's tss.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 .travis.yml               | 17 ++++++++++++++++-
 tests/install-tpm2-tss.sh | 19 +++++++++++++++++++
 2 files changed, 35 insertions(+), 1 deletion(-)
 create mode 100755 tests/install-tpm2-tss.sh

diff --git a/.travis.yml b/.travis.yml
index 0a3476572f74..11a827c02f0a 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -11,12 +11,27 @@ addons:
    - xsltproc
    - docbook-xsl
    - docbook-xml
+matrix:
+   include:
+     - env: TSS=ibmtss
+     - env: TSS=tpm2-tss
 install:
+   - if [ "${TSS}" = "tpm2-tss" ]; then
+           sudo apt-get install lcov pandoc autoconf-archive liburiparser-dev;
+           sudo apt-get install libdbus-1-dev libglib2.0-dev dbus-x11 libgcrypt-dev;
+           sudo apt-get install libssl-dev doxygen libjson-c-dev;
+           sudo apt-get install libini-config-dev libltdl-dev;
+           sudo apt-get install uuid-dev libcurl4-openssl-dev;
+          ./tests/install-tpm2-tss.sh;
+     fi
    - ./tests/install-swtpm.sh
    - ./tests/install-tss.sh
+
 script:
+   - export LD_LIBRARY_PATH=/usr/local/lib64:/usr/local/lib;
+   - export PATH=$PATH:/usr/local/bin;
    - autoreconf -i && ./configure && make -j$(nproc) && sudo make install && VERBOSE=1 make check;
 
    - tail -3 tests/ima_hash.log;
    - tail -3 tests/sign_verify.log;
-   - tail -3 tests/boot_aggregate.log;
+   - tail -20 tests/boot_aggregate.log;
diff --git a/tests/install-tpm2-tss.sh b/tests/install-tpm2-tss.sh
new file mode 100755
index 000000000000..7a71b57a8729
--- /dev/null
+++ b/tests/install-tpm2-tss.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+git clone https://github.com/tpm2-software/tpm2-tss.git
+cd tpm2-tss
+./bootstrap
+./configure
+make -j$(nproc)
+sudo make install
+sudo ldconfig
+cd ..
+rm -rf tpm2-tss
+
+git clone https://github.com/tpm2-software/tpm2-tools.git
+cd tpm2-tools
+./bootstrap && ./configure --prefix=/usr
+make -j$(nproc)
+sudo make install
+cd ..
+rm -rf tpm2-tools
-- 
2.18.4


^ permalink raw reply related	[flat|nested] 41+ messages in thread

* [ima-evm-utils: PATCH 5/5] ima-evm-utils: travis: openssl gost engine
  2020-07-31 18:24 [ima-evm-utils: PATCH 0/5] initial travis support Mimi Zohar
                   ` (3 preceding siblings ...)
  2020-07-31 18:24 ` [ima-evm-utils: PATCH 4/5] ima-evm-utils: travis: support tpm2-tss Mimi Zohar
@ 2020-07-31 18:24 ` Mimi Zohar
  2020-07-31 18:56   ` Vitaly Chikunov
  2020-08-04 12:05   ` [ima-evm-utils: PATCH v1 " Mimi Zohar
  2020-07-31 20:19 ` [ima-evm-utils: PATCH 0/5] initial travis support Petr Vorel
  5 siblings, 2 replies; 41+ messages in thread
From: Mimi Zohar @ 2020-07-31 18:24 UTC (permalink / raw)
  To: linux-integrity; +Cc: Mimi Zohar, Petr Vorel, Vitaly Chikunov, Bruno Meneguele

The openssl version on travis doesn't have gost openssl engine support.
Download from source, rebuild and install local version.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 .travis.yml                  |  7 +++++++
 tests/install-gost-engine.sh | 10 ++++++++++
 2 files changed, 17 insertions(+)
 create mode 100755 tests/install-gost-engine.sh

diff --git a/.travis.yml b/.travis.yml
index 11a827c02f0a..f5fb2c1da448 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -15,6 +15,13 @@ matrix:
    include:
      - env: TSS=ibmtss
      - env: TSS=tpm2-tss
+
+before_install:
+   - if [ "${SSL}" = "openssl" ]; then
+        ./tests/install-gost-engine.sh;
+        openssl version;
+     fi
+
 install:
    - if [ "${TSS}" = "tpm2-tss" ]; then
            sudo apt-get install lcov pandoc autoconf-archive liburiparser-dev;
diff --git a/tests/install-gost-engine.sh b/tests/install-gost-engine.sh
new file mode 100755
index 000000000000..01bcf2c3bc21
--- /dev/null
+++ b/tests/install-gost-engine.sh
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+openssl version
+
+git clone https://github.com/gost-engine/engine.git
+cd engine
+#cmake -DOPENSSL_INCLUDE_DIR=/usr/local/include/openssl -DOPENSSL_SSL_LIBRARY=/usr/local/lib64/libss.so -DOPENSSL_CRYPTO_LIBRARY=/usr/local/lib64/libcrypto.so -DOPENSSL_ENGINES_DIR=/usr/local/lib64/engines-1.1 .
+cmake .
+sudo make install
+cd ..
-- 
2.18.4


^ permalink raw reply related	[flat|nested] 41+ messages in thread

* Re: [ima-evm-utils: PATCH 5/5] ima-evm-utils: travis: openssl gost engine
  2020-07-31 18:24 ` [ima-evm-utils: PATCH 5/5] ima-evm-utils: travis: openssl gost engine Mimi Zohar
@ 2020-07-31 18:56   ` Vitaly Chikunov
  2020-07-31 20:18     ` Petr Vorel
  2020-08-04 12:05   ` [ima-evm-utils: PATCH v1 " Mimi Zohar
  1 sibling, 1 reply; 41+ messages in thread
From: Vitaly Chikunov @ 2020-07-31 18:56 UTC (permalink / raw)
  To: Mimi Zohar; +Cc: linux-integrity, Petr Vorel, Bruno Meneguele

Mimi,

On Fri, Jul 31, 2020 at 02:24:08PM -0400, Mimi Zohar wrote:
> The openssl version on travis doesn't have gost openssl engine support.
> Download from source, rebuild and install local version.
> 
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
>  .travis.yml                  |  7 +++++++
>  tests/install-gost-engine.sh | 10 ++++++++++
>  2 files changed, 17 insertions(+)
>  create mode 100755 tests/install-gost-engine.sh
> 
> diff --git a/.travis.yml b/.travis.yml
> index 11a827c02f0a..f5fb2c1da448 100644
> --- a/.travis.yml
> +++ b/.travis.yml
> @@ -15,6 +15,13 @@ matrix:
>     include:
>       - env: TSS=ibmtss
>       - env: TSS=tpm2-tss
> +
> +before_install:
> +   - if [ "${SSL}" = "openssl" ]; then
> +        ./tests/install-gost-engine.sh;
> +        openssl version;
> +     fi
> +
>  install:
>     - if [ "${TSS}" = "tpm2-tss" ]; then
>             sudo apt-get install lcov pandoc autoconf-archive liburiparser-dev;
> diff --git a/tests/install-gost-engine.sh b/tests/install-gost-engine.sh
> new file mode 100755
> index 000000000000..01bcf2c3bc21
> --- /dev/null
> +++ b/tests/install-gost-engine.sh
> @@ -0,0 +1,10 @@
> +#!/bin/sh
> +
> +openssl version
> +
> +git clone https://github.com/gost-engine/engine.git

gost-engine master branch corresponds to openssl-3.0 which is probably
not on Travis systems yet. I think branch `openssl_1_1_0` should be used.

  git clone --branch openssl_1_1_0 https://github.com/gost-engine/engine.git

Thanks,

> +cd engine
> +#cmake -DOPENSSL_INCLUDE_DIR=/usr/local/include/openssl -DOPENSSL_SSL_LIBRARY=/usr/local/lib64/libss.so -DOPENSSL_CRYPTO_LIBRARY=/usr/local/lib64/libcrypto.so -DOPENSSL_ENGINES_DIR=/usr/local/lib64/engines-1.1 .
> +cmake .
> +sudo make install
> +cd ..
> -- 
> 2.18.4

^ permalink raw reply	[flat|nested] 41+ messages in thread

* Re: [ima-evm-utils: PATCH 5/5] ima-evm-utils: travis: openssl gost engine
  2020-07-31 18:56   ` Vitaly Chikunov
@ 2020-07-31 20:18     ` Petr Vorel
  2020-07-31 20:26       ` Vitaly Chikunov
  0 siblings, 1 reply; 41+ messages in thread
From: Petr Vorel @ 2020-07-31 20:18 UTC (permalink / raw)
  To: Vitaly Chikunov; +Cc: Mimi Zohar, linux-integrity, Bruno Meneguele

Hi,

> > +++ b/tests/install-gost-engine.sh
> > @@ -0,0 +1,10 @@
> > +#!/bin/sh
> > +
> > +openssl version
> > +
> > +git clone https://github.com/gost-engine/engine.git

> gost-engine master branch corresponds to openssl-3.0 which is probably
> not on Travis systems yet. I think branch `openssl_1_1_0` should be used.

>   git clone --branch openssl_1_1_0 https://github.com/gost-engine/engine.git

FYI: it work on current setup.
https://travis-ci.org/github/pevik/ima-evm-utils/builds/713815774

Kind regards,
Petr

^ permalink raw reply	[flat|nested] 41+ messages in thread

* Re: [ima-evm-utils: PATCH 0/5] initial travis support
  2020-07-31 18:24 [ima-evm-utils: PATCH 0/5] initial travis support Mimi Zohar
                   ` (4 preceding siblings ...)
  2020-07-31 18:24 ` [ima-evm-utils: PATCH 5/5] ima-evm-utils: travis: openssl gost engine Mimi Zohar
@ 2020-07-31 20:19 ` Petr Vorel
  5 siblings, 0 replies; 41+ messages in thread
From: Petr Vorel @ 2020-07-31 20:19 UTC (permalink / raw)
  To: Mimi Zohar; +Cc: linux-integrity, Vitaly Chikunov, Bruno Meneguele

Hi Mimi,

> Support for multiple TSS and crypto libraries resulted in needing to
> test different software package combinations.  Although this is a
> first attempt at using travis matrix, I've been asked to include the
> travis.yml file in the git repo.  Before doing so, I'd appreciate
> some sort of review.

Thanks for implementing it!
LGTM.
Tested-by: Petr Vorel <pvorel@suse.cz>

I'll try to find time soon to convert it to Docker based Travis CI.

Kind regards,
Petr

^ permalink raw reply	[flat|nested] 41+ messages in thread

* Re: [ima-evm-utils: PATCH 5/5] ima-evm-utils: travis: openssl gost engine
  2020-07-31 20:18     ` Petr Vorel
@ 2020-07-31 20:26       ` Vitaly Chikunov
  2020-07-31 20:40         ` Petr Vorel
  0 siblings, 1 reply; 41+ messages in thread
From: Vitaly Chikunov @ 2020-07-31 20:26 UTC (permalink / raw)
  To: Petr Vorel; +Cc: Mimi Zohar, linux-integrity, Bruno Meneguele

Petr,

On Fri, Jul 31, 2020 at 10:18:08PM +0200, Petr Vorel wrote:
> > > +++ b/tests/install-gost-engine.sh
> > > @@ -0,0 +1,10 @@
> > > +#!/bin/sh
> > > +
> > > +openssl version
> > > +
> > > +git clone https://github.com/gost-engine/engine.git
> 
> > gost-engine master branch corresponds to openssl-3.0 which is probably
> > not on Travis systems yet. I think branch `openssl_1_1_0` should be used.
> 
> >   git clone --branch openssl_1_1_0 https://github.com/gost-engine/engine.git
> 
> FYI: it work on current setup.
> https://travis-ci.org/github/pevik/ima-evm-utils/builds/713815774

I think `install-gost-engine.sh` is not executed in this line:

  257 $ if [ "${SSL}" = "openssl" ]; then ./tests/install-gost-engine.sh; openssl version; fi   0.00s

> 
> Kind regards,
> Petr

^ permalink raw reply	[flat|nested] 41+ messages in thread

* Re: [ima-evm-utils: PATCH 5/5] ima-evm-utils: travis: openssl gost engine
  2020-07-31 20:26       ` Vitaly Chikunov
@ 2020-07-31 20:40         ` Petr Vorel
  2020-07-31 21:06           ` Vitaly Chikunov
  2020-08-03  2:53           ` Mimi Zohar
  0 siblings, 2 replies; 41+ messages in thread
From: Petr Vorel @ 2020-07-31 20:40 UTC (permalink / raw)
  To: Vitaly Chikunov; +Cc: Mimi Zohar, linux-integrity, Bruno Meneguele

> Petr,

> On Fri, Jul 31, 2020 at 10:18:08PM +0200, Petr Vorel wrote:
> > > > +++ b/tests/install-gost-engine.sh
> > > > @@ -0,0 +1,10 @@
> > > > +#!/bin/sh
> > > > +
> > > > +openssl version
> > > > +
> > > > +git clone https://github.com/gost-engine/engine.git

> > > gost-engine master branch corresponds to openssl-3.0 which is probably
> > > not on Travis systems yet. I think branch `openssl_1_1_0` should be used.

> > >   git clone --branch openssl_1_1_0 https://github.com/gost-engine/engine.git

> > FYI: it work on current setup.
> > https://travis-ci.org/github/pevik/ima-evm-utils/builds/713815774

> I think `install-gost-engine.sh` is not executed in this line:

>   257 $ if [ "${SSL}" = "openssl" ]; then ./tests/install-gost-engine.sh; openssl version; fi   0.00s

Good catch!
$ ./tests/install-gost-engine.sh
OpenSSL 1.1.1g  21 Apr 2020
fatal: destination path 'engine' already exists and is not an empty directory.
CMake Error at /usr/share/cmake/Modules/FindPackageHandleStandardArgs.cmake:165 (message):
  Could NOT find OpenSSL, try to set the path to OpenSSL root folder in the
  system variable OPENSSL_ROOT_DIR: Found unsuitable version "1.1.1g", but
  required is at least "3.0" (found /usr/lib64/libcrypto.so, )
Call Stack (most recent call first):
  /usr/share/cmake/Modules/FindPackageHandleStandardArgs.cmake:456 (_FPHSA_FAILURE_MESSAGE)
  /usr/share/cmake/Modules/FindOpenSSL.cmake:486 (find_package_handle_standard_args)
  CMakeLists.txt:11 (find_package)

-- Configuring incomplete, errors occurred!
See also "/home/pvorel/install/src/ima-evm-utils.git/engine/CMakeFiles/CMakeOutput.log".
make: *** No rule to make target 'install'.  Stop.

And when using suggested branch openssl_1_1_0, it also fails on make install
$ ./tests/install-gost-engine.sh
OpenSSL 1.1.1g  21 Apr 2020
Cloning into 'engine'...
remote: Enumerating objects: 63, done.
remote: Counting objects: 100% (63/63), done.
remote: Compressing objects: 100% (40/40), done.
remote: Total 2738 (delta 33), reused 32 (delta 21), pack-reused 2675
Receiving objects: 100% (2738/2738), 2.48 MiB | 2.09 MiB/s, done.
Resolving deltas: 100% (1735/1735), done.
-- The C compiler identification is GNU 10.1.1
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Check for working C compiler: /usr/bin/cc - skipped
-- Detecting C compile features
-- Detecting C compile features - done
-- Found OpenSSL: /usr/lib64/libcrypto.so (found suitable version "1.1.1g", minimum required is "1.1")
-- Check if the system is big endian
-- Searching 16 bit integer
-- Looking for sys/types.h
-- Looking for sys/types.h - found
-- Looking for stdint.h
-- Looking for stdint.h - found
-- Looking for stddef.h
-- Looking for stddef.h - found
-- Check size of unsigned short
-- Check size of unsigned short - done
-- Searching 16 bit integer - Using unsigned short
-- Check if the system is big endian - little endian
-- LITTLE_ENDIAN
-- Configuring done
-- Generating done
-- Build files have been written to: /home/pvorel/install/src/ima-evm-utils.git/engine
make: *** No rule to make target 'install'.  Stop.

=> It'd be good to fix this and add some test with SSL=openssl variable.
But the branch would have to be updated time to time.

BTW do you plan to test other crypto libraries?

Kind regards,
Petr

^ permalink raw reply	[flat|nested] 41+ messages in thread

* Re: [ima-evm-utils: PATCH 5/5] ima-evm-utils: travis: openssl gost engine
  2020-07-31 20:40         ` Petr Vorel
@ 2020-07-31 21:06           ` Vitaly Chikunov
  2020-07-31 22:32             ` Mimi Zohar
  2020-08-03 17:26             ` Mimi Zohar
  2020-08-03  2:53           ` Mimi Zohar
  1 sibling, 2 replies; 41+ messages in thread
From: Vitaly Chikunov @ 2020-07-31 21:06 UTC (permalink / raw)
  To: Petr Vorel; +Cc: Mimi Zohar, linux-integrity, Bruno Meneguele

On Fri, Jul 31, 2020 at 10:40:44PM +0200, Petr Vorel wrote:
> And when using suggested branch openssl_1_1_0, it also fails on make install
> $ ./tests/install-gost-engine.sh
> OpenSSL 1.1.1g  21 Apr 2020
> Cloning into 'engine'...
> remote: Enumerating objects: 63, done.
> remote: Counting objects: 100% (63/63), done.
> remote: Compressing objects: 100% (40/40), done.
> remote: Total 2738 (delta 33), reused 32 (delta 21), pack-reused 2675
> Receiving objects: 100% (2738/2738), 2.48 MiB | 2.09 MiB/s, done.
> Resolving deltas: 100% (1735/1735), done.
> -- The C compiler identification is GNU 10.1.1
> -- Detecting C compiler ABI info
> -- Detecting C compiler ABI info - done
> -- Check for working C compiler: /usr/bin/cc - skipped
> -- Detecting C compile features
> -- Detecting C compile features - done
> -- Found OpenSSL: /usr/lib64/libcrypto.so (found suitable version "1.1.1g", minimum required is "1.1")
> -- Check if the system is big endian
> -- Searching 16 bit integer
> -- Looking for sys/types.h
> -- Looking for sys/types.h - found
> -- Looking for stdint.h
> -- Looking for stdint.h - found
> -- Looking for stddef.h
> -- Looking for stddef.h - found
> -- Check size of unsigned short
> -- Check size of unsigned short - done
> -- Searching 16 bit integer - Using unsigned short
> -- Check if the system is big endian - little endian
> -- LITTLE_ENDIAN
> -- Configuring done
> -- Generating done
> -- Build files have been written to: /home/pvorel/install/src/ima-evm-utils.git/engine
> make: *** No rule to make target 'install'.  Stop.

It seems this branch does not have install target. I think,

- `engine/bin/gost.so` should be moved in platform dependent engines dir,
for example for debian9 it's `/usr/lib/x86_64-linux-gnu/engines-1.1/`
(found with strace).

- Or, just keep it as is, but `OPENSSL_ENGINES` env should be set to
`/home/pvorel/install/src/ima-evm-utils.git/engine/bin/`.

- Or even better, Bionic (which is supported by Travis) should have
  gost-engine already in the libengine-gost-openssl1.1 package.

  In that case `.travis.yml` should have `dist: bionic`.
    https://docs.travis-ci.com/user/reference/bionic/



> 
> => It'd be good to fix this and add some test with SSL=openssl variable.
> But the branch would have to be updated time to time.
> 
> BTW do you plan to test other crypto libraries?
> 
> Kind regards,
> Petr

^ permalink raw reply	[flat|nested] 41+ messages in thread

* Re: [ima-evm-utils: PATCH 5/5] ima-evm-utils: travis: openssl gost engine
  2020-07-31 21:06           ` Vitaly Chikunov
@ 2020-07-31 22:32             ` Mimi Zohar
  2020-08-03  3:09               ` Mimi Zohar
  2020-08-03 16:32               ` Vitaly Chikunov
  2020-08-03 17:26             ` Mimi Zohar
  1 sibling, 2 replies; 41+ messages in thread
From: Mimi Zohar @ 2020-07-31 22:32 UTC (permalink / raw)
  To: Vitaly Chikunov, Petr Vorel; +Cc: linux-integrity, Bruno Meneguele

On Sat, 2020-08-01 at 00:06 +0300, Vitaly Chikunov wrote:
> On Fri, Jul 31, 2020 at 10:40:44PM +0200, Petr Vorel wrote:
> > And when using suggested branch openssl_1_1_0, it also fails on
> > make install
> > $ ./tests/install-gost-engine.sh
> > OpenSSL 1.1.1g  21 Apr 2020
> > Cloning into 'engine'...
> > remote: Enumerating objects: 63, done.
> > remote: Counting objects: 100% (63/63), done.
> > remote: Compressing objects: 100% (40/40), done.
> > remote: Total 2738 (delta 33), reused 32 (delta 21), pack-reused
> > 2675
> > Receiving objects: 100% (2738/2738), 2.48 MiB | 2.09 MiB/s, done.
> > Resolving deltas: 100% (1735/1735), done.
> > -- The C compiler identification is GNU 10.1.1
> > -- Detecting C compiler ABI info
> > -- Detecting C compiler ABI info - done
> > -- Check for working C compiler: /usr/bin/cc - skipped
> > -- Detecting C compile features
> > -- Detecting C compile features - done
> > -- Found OpenSSL: /usr/lib64/libcrypto.so (found suitable version
> > "1.1.1g", minimum required is "1.1")
> > -- Check if the system is big endian
> > -- Searching 16 bit integer
> > -- Looking for sys/types.h
> > -- Looking for sys/types.h - found
> > -- Looking for stdint.h
> > -- Looking for stdint.h - found
> > -- Looking for stddef.h
> > -- Looking for stddef.h - found
> > -- Check size of unsigned short
> > -- Check size of unsigned short - done
> > -- Searching 16 bit integer - Using unsigned short
> > -- Check if the system is big endian - little endian
> > -- LITTLE_ENDIAN
> > -- Configuring done
> > -- Generating done
> > -- Build files have been written to: /home/pvorel/install/src/ima-
> > evm-utils.git/engine
> > make: *** No rule to make target 'install'.  Stop.
> 
> It seems this branch does not have install target. I think,
> 
> - `engine/bin/gost.so` should be moved in platform dependent engines
> dir,
> for example for debian9 it's `/usr/lib/x86_64-linux-gnu/engines-1.1/`
> (found with strace).
> 
> - Or, just keep it as is, but `OPENSSL_ENGINES` env should be set to
> `/home/pvorel/install/src/ima-evm-utils.git/engine/bin/`.
> 
> - Or even better, Bionic (which is supported by Travis) should have
>   gost-engine already in the libengine-gost-openssl1.1 package.
> 
>   In that case `.travis.yml` should have `dist: bionic`.
>     https://docs.travis-ci.com/user/reference/bionic/

Yes, for the internal git repo I made this change.   The internal
travis support for bionic is different than the external travis.   I'll
post what I have as an RFC.
 
> 
> 
> > => It'd be good to fix this and add some test with SSL=openssl
> > variable.
> > But the branch would have to be updated time to time.
> > 
> > BTW do you plan to test other crypto libraries?

Mikhail Novosyolov posted a patch for libressl, but didn't followup
with v2.   The openssl code version/release sections need to be cleaned
up for libressl some more for libressl.

For matrix testing, it would be nice for the package names and versions
to be included in the output.

Mimi


^ permalink raw reply	[flat|nested] 41+ messages in thread

* Re: [ima-evm-utils: PATCH 5/5] ima-evm-utils: travis: openssl gost engine
  2020-07-31 20:40         ` Petr Vorel
  2020-07-31 21:06           ` Vitaly Chikunov
@ 2020-08-03  2:53           ` Mimi Zohar
  2020-08-03 13:11             ` Petr Vorel
  1 sibling, 1 reply; 41+ messages in thread
From: Mimi Zohar @ 2020-08-03  2:53 UTC (permalink / raw)
  To: Petr Vorel, Vitaly Chikunov; +Cc: linux-integrity, Bruno Meneguele

On Fri, 2020-07-31 at 22:40 +0200, Petr Vorel wrote:
> > Petr,
> > On Fri, Jul 31, 2020 at 10:18:08PM +0200, Petr Vorel wrote:
> > > > > +++ b/tests/install-gost-engine.sh
> > > > > @@ -0,0 +1,10 @@
> > > > > +#!/bin/sh
> > > > > +
> > > > > +openssl version
> > > > > +
> > > > > +git clone https://github.com/gost-engine/engine.git
> > > > gost-engine master branch corresponds to openssl-3.0 which is
> > > > probably
> > > > not on Travis systems yet. I think branch `openssl_1_1_0`
> > > > should be used.
> > > >   git clone --branch openssl_1_1_0 
> > > > https://github.com/gost-engine/engine.git
> > > FYI: it work on current setup.
> > > https://travis-ci.org/github/pevik/ima-evm-utils/builds/713815774
> > I think `install-gost-engine.sh` is not executed in this line:
> >   257 $ if [ "${SSL}" = "openssl" ]; then ./tests/install-gost-
> > engine.sh; openssl version; fi   0.00s
> 
> Good catch!
> $ ./tests/install-gost-engine.sh
> OpenSSL 1.1.1g  21 Apr 2020
> fatal: destination path 'engine' already exists and is not an empty
> directory.
> CMake Error at
> /usr/share/cmake/Modules/FindPackageHandleStandardArgs.cmake:165
> (message):
>   Could NOT find OpenSSL, try to set the path to OpenSSL root folder
> in the
>   system variable OPENSSL_ROOT_DIR: Found unsuitable version
> "1.1.1g", but
>   required is at least "3.0" (found /usr/lib64/libcrypto.so, )
> Call Stack (most recent call first):
>   /usr/share/cmake/Modules/FindPackageHandleStandardArgs.cmake:456
> (_FPHSA_FAILURE_MESSAGE)
>   /usr/share/cmake/Modules/FindOpenSSL.cmake:486
> (find_package_handle_standard_args)
>   CMakeLists.txt:11 (find_package)
> 
> -- Configuring incomplete, errors occurred!
> See also "/home/pvorel/install/src/ima-evm-
> utils.git/engine/CMakeFiles/CMakeOutput.log".
> make: *** No rule to make target 'install'.  Stop.
> 
> And when using suggested branch openssl_1_1_0, it also fails on make
> install
> $ ./tests/install-gost-engine.sh
> OpenSSL 1.1.1g  21 Apr 2020
> Cloning into 'engine'...
> remote: Enumerating objects: 63, done.
> remote: Counting objects: 100% (63/63), done.
> remote: Compressing objects: 100% (40/40), done.
> remote: Total 2738 (delta 33), reused 32 (delta 21), pack-reused 2675
> Receiving objects: 100% (2738/2738), 2.48 MiB | 2.09 MiB/s, done.
> Resolving deltas: 100% (1735/1735), done.
> -- The C compiler identification is GNU 10.1.1
> -- Detecting C compiler ABI info
> -- Detecting C compiler ABI info - done
> -- Check for working C compiler: /usr/bin/cc - skipped
> -- Detecting C compile features
> -- Detecting C compile features - done
> -- Found OpenSSL: /usr/lib64/libcrypto.so (found suitable version
> "1.1.1g", minimum required is "1.1")
> -- Check if the system is big endian
> -- Searching 16 bit integer
> -- Looking for sys/types.h
> -- Looking for sys/types.h - found
> -- Looking for stdint.h
> -- Looking for stdint.h - found
> -- Looking for stddef.h
> -- Looking for stddef.h - found
> -- Check size of unsigned short
> -- Check size of unsigned short - done
> -- Searching 16 bit integer - Using unsigned short
> -- Check if the system is big endian - little endian
> -- LITTLE_ENDIAN
> -- Configuring done
> -- Generating done
> -- Build files have been written to: /home/pvorel/install/src/ima-
> evm-utils.git/engine
> make: *** No rule to make target 'install'.  Stop.
> 
> => It'd be good to fix this and add some test with SSL=openssl
> variable.
> But the branch would have to be updated time to time.
> 
> BTW do you plan to test other crypto libraries?

Thanks, Vitaly, Petr, for catching this.  SSL isn't define yet.   The
test should be removed.  If/when libressl is added, it would look like:

-     - env: TSS=ibmtss
-     - env: TSS=tpm2-tss
+     - env: TSS=ibmtss SSL=openssl
+     - env: TSS=ibmtss SSL=libressl;
+     - env: TSS=tpm2-tss SSL=openssl
 
 before_install:
+   - if [ "${SSL}" = "libressl" ]; then
+        ./tests/install-libressl.sh;
+     fi

Mimi


^ permalink raw reply	[flat|nested] 41+ messages in thread

* Re: [ima-evm-utils: PATCH 5/5] ima-evm-utils: travis: openssl gost engine
  2020-07-31 22:32             ` Mimi Zohar
@ 2020-08-03  3:09               ` Mimi Zohar
  2020-08-03 13:07                 ` Petr Vorel
  2020-08-03 16:32               ` Vitaly Chikunov
  1 sibling, 1 reply; 41+ messages in thread
From: Mimi Zohar @ 2020-08-03  3:09 UTC (permalink / raw)
  To: Vitaly Chikunov, Petr Vorel; +Cc: linux-integrity, Bruno Meneguele

On Fri, 2020-07-31 at 18:32 -0400, Mimi Zohar wrote:
> 
> > - Or even better, Bionic (which is supported by Travis) should have
> >   gost-engine already in the libengine-gost-openssl1.1 package.
> > 
> >   In that case `.travis.yml` should have `dist: bionic`.
> >     https://docs.travis-ci.com/user/reference/bionic/
> 
> Yes, for the internal git repo I made this change.   The internal
> travis support for bionic is different than the external
> travis.   I'll post what I have as an RFC.

The internal travis support on ppc defaults to using Bionic, but the
way of specifying it is different.

+os: linux-ppc64le
 language: C
 addons:
  apt:

Mimi


^ permalink raw reply	[flat|nested] 41+ messages in thread

* Re: [ima-evm-utils: PATCH 5/5] ima-evm-utils: travis: openssl gost engine
  2020-08-03  3:09               ` Mimi Zohar
@ 2020-08-03 13:07                 ` Petr Vorel
  2020-08-03 14:29                   ` Mimi Zohar
  0 siblings, 1 reply; 41+ messages in thread
From: Petr Vorel @ 2020-08-03 13:07 UTC (permalink / raw)
  To: Mimi Zohar; +Cc: Vitaly Chikunov, linux-integrity, Bruno Meneguele

Hi all,

> On Fri, 2020-07-31 at 18:32 -0400, Mimi Zohar wrote:

> > > - Or even better, Bionic (which is supported by Travis) should have
> > >   gost-engine already in the libengine-gost-openssl1.1 package.

> > >   In that case `.travis.yml` should have `dist: bionic`.
> > >     https://docs.travis-ci.com/user/reference/bionic/

> > Yes, for the internal git repo I made this change.   The internal
> > travis support for bionic is different than the external
> > travis.   I'll post what I have as an RFC.

> The internal travis support on ppc defaults to using Bionic, but the
> way of specifying it is different.

> +os: linux-ppc64le
>  language: C
>  addons:
>   apt:

@Mimi: As I wrote, I'd suggest moving to docker based travis. I can do it once
other issues are addressed, if this setup work for your internal travis support
as well. See examples .travis.yml [1] [2], builds: [3] [4].

Advantages are more realistic builds for distro maintainers (different libc and
libraries versions, you can test old and new distro releases, etc), but maybe
that's not what you want/need.

Disadvantage is that sometimes docker releases have temporary packaging related
issues (first build in [3]; failure in first build [4] is a bug in LTP, corner
case, which would be otherwise undiscovered a long time).

Kind regards,
Petr

[1] https://github.com/linux-test-project/ltp/blob/master/.travis.yml
[2] https://github.com/iputils/iputils/blob/master/.travis.yml
[3] https://travis-ci.org/github/iputils/iputils/builds/714445071
[4] https://travis-ci.org/github/linux-test-project/ltp/builds/714400199

^ permalink raw reply	[flat|nested] 41+ messages in thread

* Re: [ima-evm-utils: PATCH 5/5] ima-evm-utils: travis: openssl gost engine
  2020-08-03  2:53           ` Mimi Zohar
@ 2020-08-03 13:11             ` Petr Vorel
  2020-08-03 14:33               ` Mimi Zohar
  0 siblings, 1 reply; 41+ messages in thread
From: Petr Vorel @ 2020-08-03 13:11 UTC (permalink / raw)
  To: Mimi Zohar; +Cc: Vitaly Chikunov, linux-integrity, Bruno Meneguele

Hi all,

> Thanks, Vitaly, Petr, for catching this.  SSL isn't define yet.   The
> test should be removed.  If/when libressl is added, it would look like:

> -     - env: TSS=ibmtss
> -     - env: TSS=tpm2-tss
> +     - env: TSS=ibmtss SSL=openssl
> +     - env: TSS=ibmtss SSL=libressl;
> +     - env: TSS=tpm2-tss SSL=openssl

>  before_install:
> +   - if [ "${SSL}" = "libressl" ]; then
> +        ./tests/install-libressl.sh;
> +     fi

FYI: Libressl is packaged for some distros (if docker based Travis is used):

https://pkgs.org/download/libressl

Kind regards,
Petr

^ permalink raw reply	[flat|nested] 41+ messages in thread

* Re: [ima-evm-utils: PATCH 5/5] ima-evm-utils: travis: openssl gost engine
  2020-08-03 13:07                 ` Petr Vorel
@ 2020-08-03 14:29                   ` Mimi Zohar
  2020-08-03 16:46                     ` Petr Vorel
  0 siblings, 1 reply; 41+ messages in thread
From: Mimi Zohar @ 2020-08-03 14:29 UTC (permalink / raw)
  To: Petr Vorel; +Cc: Vitaly Chikunov, linux-integrity, Bruno Meneguele

On Mon, 2020-08-03 at 15:07 +0200, Petr Vorel wrote:
> Hi all,
> 
> > On Fri, 2020-07-31 at 18:32 -0400, Mimi Zohar wrote:
> > > > - Or even better, Bionic (which is supported by Travis) should have
> > > >   gost-engine already in the libengine-gost-openssl1.1 package.
> > > >   In that case `.travis.yml` should have `dist: bionic`.
> > > >     https://docs.travis-ci.com/user/reference/bionic/
> > > Yes, for the internal git repo I made this change.   The internal
> > > travis support for bionic is different than the external
> > > travis.   I'll post what I have as an RFC.
> > The internal travis support on ppc defaults to using Bionic, but the
> > way of specifying it is different.
> > +os: linux-ppc64le
> >  language: C
> >  addons:
> >   apt:
> 
> @Mimi: As I wrote, I'd suggest moving to docker based travis. I can do it once
> other issues are addressed, if this setup work for your internal travis support
> as well. See examples .travis.yml [1] [2], builds: [3] [4].
> 
> Advantages are more realistic builds for distro maintainers (different libc and
> libraries versions, you can test old and new distro releases, etc), but maybe
> that's not what you want/need.
> 
> Disadvantage is that sometimes docker releases have temporary packaging related
> issues (first build in [3]; failure in first build [4] is a bug in LTP, corner
> case, which would be otherwise undiscovered a long time).

Nice!  I definitely want to move to a docker based travis.   How should
we move forward?   Should there be a 1.3.1 release now with just the
few changes in the next branch and include the existing travis branch
with changes to address Vitaly's comments?

Mimi

> 
> [1] https://github.com/linux-test-project/ltp/blob/master/.travis.yml
> [2] https://github.com/iputils/iputils/blob/master/.travis.yml
> [3] https://travis-ci.org/github/iputils/iputils/builds/714445071
> [4] https://travis-ci.org/github/linux-test-project/ltp/builds/714400199


^ permalink raw reply	[flat|nested] 41+ messages in thread

* Re: [ima-evm-utils: PATCH 5/5] ima-evm-utils: travis: openssl gost engine
  2020-08-03 13:11             ` Petr Vorel
@ 2020-08-03 14:33               ` Mimi Zohar
  0 siblings, 0 replies; 41+ messages in thread
From: Mimi Zohar @ 2020-08-03 14:33 UTC (permalink / raw)
  To: Petr Vorel; +Cc: Vitaly Chikunov, linux-integrity, Bruno Meneguele

On Mon, 2020-08-03 at 15:11 +0200, Petr Vorel wrote:
> Hi all,
> 
> > Thanks, Vitaly, Petr, for catching this.  SSL isn't define yet.   The
> > test should be removed.  If/when libressl is added, it would look like:
> > -     - env: TSS=ibmtss
> > -     - env: TSS=tpm2-tss
> > +     - env: TSS=ibmtss SSL=openssl
> > +     - env: TSS=ibmtss SSL=libressl;
> > +     - env: TSS=tpm2-tss SSL=openssl
> >  before_install:
> > +   - if [ "${SSL}" = "libressl" ]; then
> > +        ./tests/install-libressl.sh;
> > +     fi
> 
> FYI: Libressl is packaged for some distros (if docker based Travis is used):
> 
> https://pkgs.org/download/libressl

Good to know.   There's currently issues compiling ima-evm-utils with
libressl that need to be addressed.

Mimi


^ permalink raw reply	[flat|nested] 41+ messages in thread

* Re: [ima-evm-utils: PATCH 5/5] ima-evm-utils: travis: openssl gost engine
  2020-07-31 22:32             ` Mimi Zohar
  2020-08-03  3:09               ` Mimi Zohar
@ 2020-08-03 16:32               ` Vitaly Chikunov
  2020-08-03 16:36                 ` Petr Vorel
  1 sibling, 1 reply; 41+ messages in thread
From: Vitaly Chikunov @ 2020-08-03 16:32 UTC (permalink / raw)
  To: Mimi Zohar; +Cc: Petr Vorel, linux-integrity, Bruno Meneguele

Mimi,

On Fri, Jul 31, 2020 at 06:32:42PM -0400, Mimi Zohar wrote:
> >   In that case `.travis.yml` should have `dist: bionic`.
> >     https://docs.travis-ci.com/user/reference/bionic/
> 
> Yes, for the internal git repo I made this change.   The internal
> travis support for bionic is different than the external travis.   I'll
> post what I have as an RFC.

Excuse ma, what is internal/external travis? I know only travis from
github.

Thanks,


^ permalink raw reply	[flat|nested] 41+ messages in thread

* Re: [ima-evm-utils: PATCH 5/5] ima-evm-utils: travis: openssl gost engine
  2020-08-03 16:32               ` Vitaly Chikunov
@ 2020-08-03 16:36                 ` Petr Vorel
  0 siblings, 0 replies; 41+ messages in thread
From: Petr Vorel @ 2020-08-03 16:36 UTC (permalink / raw)
  To: Vitaly Chikunov; +Cc: Mimi Zohar, linux-integrity, Bruno Meneguele

Hi all,

...
> Excuse ma, what is internal/external travis? I know only travis from
> github.
I guess IBM has some payed service from Travis, which they use internally.

Kind regards,
Petr

^ permalink raw reply	[flat|nested] 41+ messages in thread

* Re: [ima-evm-utils: PATCH 5/5] ima-evm-utils: travis: openssl gost engine
  2020-08-03 14:29                   ` Mimi Zohar
@ 2020-08-03 16:46                     ` Petr Vorel
  2020-08-03 17:16                       ` Mimi Zohar
  0 siblings, 1 reply; 41+ messages in thread
From: Petr Vorel @ 2020-08-03 16:46 UTC (permalink / raw)
  To: Mimi Zohar; +Cc: Vitaly Chikunov, linux-integrity, Bruno Meneguele

Hi all,

...
> > @Mimi: As I wrote, I'd suggest moving to docker based travis. I can do it once
> > other issues are addressed, if this setup work for your internal travis support
> > as well. See examples .travis.yml [1] [2], builds: [3] [4].

> > Advantages are more realistic builds for distro maintainers (different libc and
> > libraries versions, you can test old and new distro releases, etc), but maybe
> > that's not what you want/need.

> > Disadvantage is that sometimes docker releases have temporary packaging related
> > issues (first build in [3]; failure in first build [4] is a bug in LTP, corner
> > case, which would be otherwise undiscovered a long time).

> Nice!  I definitely want to move to a docker based travis.   How should
> we move forward?   Should there be a 1.3.1 release now with just the
> few changes in the next branch and include the existing travis branch
> with changes to address Vitaly's comments?
Yes, that would work for me. Travis changes aren't related to the release
(it just needs to be published in git), let's give users the fixes.

Docker based setup shouldn't take long It's all about to find the dependencies
for used distros (I usually keep them in travis/ directory [5] [6]) and agree on the
variants (which distros, how many jobs are still meaningful, which crypto and
TPM libraries, whether use also: clang, non-intel archs and cross-compilation).

Kind regards,
Petr

> Mimi

> > [1] https://github.com/linux-test-project/ltp/blob/master/.travis.yml
> > [2] https://github.com/iputils/iputils/blob/master/.travis.yml
> > [3] https://travis-ci.org/github/iputils/iputils/builds/714445071
> > [4] https://travis-ci.org/github/linux-test-project/ltp/builds/714400199

[5] https://github.com/linux-test-project/ltp/blob/master/travis/
[6] https://github.com/iputils/iputils/blob/master/travis/

^ permalink raw reply	[flat|nested] 41+ messages in thread

* Re: [ima-evm-utils: PATCH 5/5] ima-evm-utils: travis: openssl gost engine
  2020-08-03 16:46                     ` Petr Vorel
@ 2020-08-03 17:16                       ` Mimi Zohar
  2020-08-04  7:22                         ` Petr Vorel
  0 siblings, 1 reply; 41+ messages in thread
From: Mimi Zohar @ 2020-08-03 17:16 UTC (permalink / raw)
  To: Petr Vorel; +Cc: Vitaly Chikunov, linux-integrity, Bruno Meneguele

On Mon, 2020-08-03 at 18:46 +0200, Petr Vorel wrote:
> Hi all,
> 
> ...
> > > @Mimi: As I wrote, I'd suggest moving to docker based travis. I can do it once
> > > other issues are addressed, if this setup work for your internal travis support
> > > as well. See examples .travis.yml [1] [2], builds: [3] [4].
> > > Advantages are more realistic builds for distro maintainers (different libc and
> > > libraries versions, you can test old and new distro releases, etc), but maybe
> > > that's not what you want/need.
> > > Disadvantage is that sometimes docker releases have temporary packaging related
> > > issues (first build in [3]; failure in first build [4] is a bug in LTP, corner
> > > case, which would be otherwise undiscovered a long time).
> > Nice!  I definitely want to move to a docker based travis.   How should
> > we move forward?   Should there be a 1.3.1 release now with just the
> > few changes in the next branch and include the existing travis branch
> > with changes to address Vitaly's comments?

I left off the list TPM 2.0 --pcr support, but the kernel code for
exporting the sysfs TPM 2.0 pcrs hasn't been upstreamed yet.   I guess
we should wait for that to be upstreamed or at least queued to be
upstreamed.

> Yes, that would work for me. Travis changes aren't related to the release
> (it just needs to be published in git), let's give users the fixes.

Ok. 

> 
> Docker based setup shouldn't take long It's all about to find the dependencies
> for used distros (I usually keep them in travis/ directory [5] [6]) and agree on the
> variants (which distros, how many jobs are still meaningful, which crypto and
> TPM libraries, whether use also: clang, non-intel archs and cross-compilation).

Great!

Mimi


^ permalink raw reply	[flat|nested] 41+ messages in thread

* Re: [ima-evm-utils: PATCH 5/5] ima-evm-utils: travis: openssl gost engine
  2020-07-31 21:06           ` Vitaly Chikunov
  2020-07-31 22:32             ` Mimi Zohar
@ 2020-08-03 17:26             ` Mimi Zohar
  2020-08-03 18:42               ` Vitaly Chikunov
  1 sibling, 1 reply; 41+ messages in thread
From: Mimi Zohar @ 2020-08-03 17:26 UTC (permalink / raw)
  To: Vitaly Chikunov, Petr Vorel; +Cc: linux-integrity, Bruno Meneguele

On Sat, 2020-08-01 at 00:06 +0300, Vitaly Chikunov wrote:
> On Fri, Jul 31, 2020 at 10:40:44PM +0200, Petr Vorel wrote:
> > And when using suggested branch openssl_1_1_0, it also fails on make install
> > $ ./tests/install-gost-engine.sh
> > OpenSSL 1.1.1g  21 Apr 2020
> > Cloning into 'engine'...
> > remote: Enumerating objects: 63, done.
> > remote: Counting objects: 100% (63/63), done.
> > remote: Compressing objects: 100% (40/40), done.
> > remote: Total 2738 (delta 33), reused 32 (delta 21), pack-reused 2675
> > Receiving objects: 100% (2738/2738), 2.48 MiB | 2.09 MiB/s, done.
> > Resolving deltas: 100% (1735/1735), done.
> > -- The C compiler identification is GNU 10.1.1
> > -- Detecting C compiler ABI info
> > -- Detecting C compiler ABI info - done
> > -- Check for working C compiler: /usr/bin/cc - skipped
> > -- Detecting C compile features
> > -- Detecting C compile features - done
> > -- Found OpenSSL: /usr/lib64/libcrypto.so (found suitable version "1.1.1g", minimum required is "1.1")
> > -- Check if the system is big endian
> > -- Searching 16 bit integer
> > -- Looking for sys/types.h
> > -- Looking for sys/types.h - found
> > -- Looking for stdint.h
> > -- Looking for stdint.h - found
> > -- Looking for stddef.h
> > -- Looking for stddef.h - found
> > -- Check size of unsigned short
> > -- Check size of unsigned short - done
> > -- Searching 16 bit integer - Using unsigned short
> > -- Check if the system is big endian - little endian
> > -- LITTLE_ENDIAN
> > -- Configuring done
> > -- Generating done
> > -- Build files have been written to: /home/pvorel/install/src/ima-evm-utils.git/engine
> > make: *** No rule to make target 'install'.  Stop.
> 
> It seems this branch does not have install target. I think,
> 
> - `engine/bin/gost.so` should be moved in platform dependent engines dir,
> for example for debian9 it's `/usr/lib/x86_64-linux-gnu/engines-1.1/`
> (found with strace).
> 
> - Or, just keep it as is, but `OPENSSL_ENGINES` env should be set to
> `/home/pvorel/install/src/ima-evm-utils.git/engine/bin/`.
> 
> - Or even better, Bionic (which is supported by Travis) should have
>   gost-engine already in the libengine-gost-openssl1.1 package.
> 
>   In that case `.travis.yml` should have `dist: bionic`.
>     https://docs.travis-ci.com/user/reference/bionic/

Petr, Vitaly, so I should drop  "ima-evm-utils: travis: openssl gost
engine" and add "dist: bionic" instead?

Mimi


^ permalink raw reply	[flat|nested] 41+ messages in thread

* Re: [ima-evm-utils: PATCH 5/5] ima-evm-utils: travis: openssl gost engine
  2020-08-03 17:26             ` Mimi Zohar
@ 2020-08-03 18:42               ` Vitaly Chikunov
  0 siblings, 0 replies; 41+ messages in thread
From: Vitaly Chikunov @ 2020-08-03 18:42 UTC (permalink / raw)
  To: Mimi Zohar; +Cc: Petr Vorel, linux-integrity, Bruno Meneguele

Mimi,

On Mon, Aug 03, 2020 at 01:26:19PM -0400, Mimi Zohar wrote:
> On Sat, 2020-08-01 at 00:06 +0300, Vitaly Chikunov wrote:
> > On Fri, Jul 31, 2020 at 10:40:44PM +0200, Petr Vorel wrote:
> > - Or even better, Bionic (which is supported by Travis) should have
> >   gost-engine already in the libengine-gost-openssl1.1 package.
> > 
> >   In that case `.travis.yml` should have `dist: bionic`.
> >     https://docs.travis-ci.com/user/reference/bionic/
> 
> Petr, Vitaly, so I should drop  "ima-evm-utils: travis: openssl gost
> engine" and add "dist: bionic" instead?

I am not sure yet. As I remember, travis have different available ubuntu
distros for different arches. Thus, for ppc or s490x it may not have bionic.
It would be easier to fix install of gost-engine. It's small and will
build quickly.

Thanks,


^ permalink raw reply	[flat|nested] 41+ messages in thread

* Re: [ima-evm-utils: PATCH 5/5] ima-evm-utils: travis: openssl gost engine
  2020-08-03 17:16                       ` Mimi Zohar
@ 2020-08-04  7:22                         ` Petr Vorel
  2020-08-04  7:54                           ` Petr Vorel
  0 siblings, 1 reply; 41+ messages in thread
From: Petr Vorel @ 2020-08-04  7:22 UTC (permalink / raw)
  To: Mimi Zohar; +Cc: Vitaly Chikunov, linux-integrity, Bruno Meneguele

Hi Mimi,

...
> I left off the list TPM 2.0 --pcr support, but the kernel code for
> exporting the sysfs TPM 2.0 pcrs hasn't been upstreamed yet.   I guess
> we should wait for that to be upstreamed or at least queued to be
> upstreamed.
OK, we have to wait. BTW is the patch somewhere on ML? Is it part of this
pathset https://patchwork.kernel.org/cover/11656949/ ?

After merging Lachlan's patchset https://patchwork.ozlabs.org/project/ltp/list/?series=193909
I'll fix ima_ltp only for TPM 1.2 (rebase my patch https://patchwork.ozlabs.org/project/ltp/patch/20200527071434.28574-1-pvorel@suse.cz/).

...
> > Docker based setup shouldn't take long It's all about to find the dependencies
> > for used distros (I usually keep them in travis/ directory [5] [6]) and agree on the
> > variants (which distros, how many jobs are still meaningful, which crypto and
> > TPM libraries, whether use also: clang, non-intel archs and cross-compilation).

> Great!
Just let me know once travis non-docker is fixed and in git (in which branch).

Kind regards,
Petr

^ permalink raw reply	[flat|nested] 41+ messages in thread

* Re: [ima-evm-utils: PATCH 5/5] ima-evm-utils: travis: openssl gost engine
  2020-08-04  7:22                         ` Petr Vorel
@ 2020-08-04  7:54                           ` Petr Vorel
  2020-08-04 13:23                             ` Mimi Zohar
  0 siblings, 1 reply; 41+ messages in thread
From: Petr Vorel @ 2020-08-04  7:54 UTC (permalink / raw)
  To: Mimi Zohar; +Cc: Vitaly Chikunov, linux-integrity, Bruno Meneguele

Hi Mimi,

> ...
> > I left off the list TPM 2.0 --pcr support, but the kernel code for
> > exporting the sysfs TPM 2.0 pcrs hasn't been upstreamed yet.   I guess
> > we should wait for that to be upstreamed or at least queued to be
> > upstreamed.
> OK, we have to wait. BTW is the patch somewhere on ML? Is it part of this
> pathset https://patchwork.kernel.org/cover/11656949/ ?
Oh, that's for ima_evm_utils. I meant patchset for kernel space.

Kind regards,
Petr

^ permalink raw reply	[flat|nested] 41+ messages in thread

* Re: [ima-evm-utils: PATCH v1 5/5] ima-evm-utils: travis: openssl gost engine
  2020-07-31 18:24 ` [ima-evm-utils: PATCH 5/5] ima-evm-utils: travis: openssl gost engine Mimi Zohar
  2020-07-31 18:56   ` Vitaly Chikunov
@ 2020-08-04 12:05   ` Mimi Zohar
  2020-08-04 14:45     ` Vitaly Chikunov
  1 sibling, 1 reply; 41+ messages in thread
From: Mimi Zohar @ 2020-08-04 12:05 UTC (permalink / raw)
  To: linux-integrity; +Cc: Petr Vorel, Vitaly Chikunov, Bruno Meneguele

The openssl version might not have gost openssl engine support.
Download from source, rebuild and install local version.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 .travis.yml                  | 10 ++++++++++
 tests/install-gost-engine.sh | 10 ++++++++++
 2 files changed, 20 insertions(+)
 create mode 100755 tests/install-gost-engine.sh

diff --git a/.travis.yml b/.travis.yml
index 11a827c02f0a..887f6bbea9b9 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -15,6 +15,13 @@ matrix:
    include:
      - env: TSS=ibmtss
      - env: TSS=tpm2-tss
+
+before_install:
+   - if [ "${SSL}" = "openssl" ]; then
+        ./tests/install-gost-engine.sh;
+        openssl version;
+     fi
+
 install:
    - if [ "${TSS}" = "tpm2-tss" ]; then
            sudo apt-get install lcov pandoc autoconf-archive liburiparser-dev;
@@ -30,6 +37,9 @@ install:
 script:
    - export LD_LIBRARY_PATH=/usr/local/lib64:/usr/local/lib;
    - export PATH=$PATH:/usr/local/bin;
+   - if [ "${SSL}" = "openssl" ]; then
+        export OPENSSL_ENGINES="$OPENSSL_ENGINES:$PWD/engines/bin";
+     fi
    - autoreconf -i && ./configure && make -j$(nproc) && sudo make install && VERBOSE=1 make check;
 
    - tail -3 tests/ima_hash.log;
diff --git a/tests/install-gost-engine.sh b/tests/install-gost-engine.sh
new file mode 100755
index 000000000000..2563aa4953f7
--- /dev/null
+++ b/tests/install-gost-engine.sh
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+openssl version
+
+git clone --branch openssl_1_1_0 https://github.com/gost-engine/engine.git
+cd engine
+cmake .
+cmake --build .
+# note: install target is missing, later set the environment variable.
+cd ..
-- 
2.18.4



^ permalink raw reply related	[flat|nested] 41+ messages in thread

* Re: [ima-evm-utils: PATCH 5/5] ima-evm-utils: travis: openssl gost engine
  2020-08-04  7:54                           ` Petr Vorel
@ 2020-08-04 13:23                             ` Mimi Zohar
  2020-08-05  9:42                               ` Petr Vorel
  0 siblings, 1 reply; 41+ messages in thread
From: Mimi Zohar @ 2020-08-04 13:23 UTC (permalink / raw)
  To: Petr Vorel; +Cc: Vitaly Chikunov, linux-integrity, Bruno Meneguele

Hi Petr, Vitaly,

On Tue, 2020-08-04 at 09:54 +0200, Petr Vorel wrote:
> Hi Mimi,
> 
> > ...
> > > I left off the list TPM 2.0 --pcr support, but the kernel code for
> > > exporting the sysfs TPM 2.0 pcrs hasn't been upstreamed yet.   I guess
> > > we should wait for that to be upstreamed or at least queued to be
> > > upstreamed.
> > OK, we have to wait. BTW is the patch somewhere on ML? Is it part of this
> > pathset https://patchwork.kernel.org/cover/11656949/ ?
> Oh, that's for ima_evm_utils. I meant patchset for kernel space.

"[PATCH v3 1/1] tpm: add sysfs exports for all banks of PCR registers"
was posted here on the linux-integrity mailing list[1].  It's important
to get this patch upstreamed, but I think the PCR file format is useful
on its own.  For this reason, I'm going to backtrack and include it in
1.3.1.

I've posted a new version of "travis: openssl gost engine" addressing
the branch version and lack of an install target.   It assumes that
openssl was built with engine support and builds the gost engine
support from the git repo.  The environment variable is set, but has
not been tested.

Everything, including this change, should now be in the next-testing
branch.

thanks,

Mimi

[1] message-id: 
20200722155739.26957-2-James.Bottomley@HansenPartnership.com


^ permalink raw reply	[flat|nested] 41+ messages in thread

* Re: [ima-evm-utils: PATCH v1 5/5] ima-evm-utils: travis: openssl gost engine
  2020-08-04 12:05   ` [ima-evm-utils: PATCH v1 " Mimi Zohar
@ 2020-08-04 14:45     ` Vitaly Chikunov
  2020-08-04 18:11       ` Mimi Zohar
  0 siblings, 1 reply; 41+ messages in thread
From: Vitaly Chikunov @ 2020-08-04 14:45 UTC (permalink / raw)
  To: Mimi Zohar; +Cc: linux-integrity, Petr Vorel, Bruno Meneguele

Mimi,

On Tue, Aug 04, 2020 at 08:05:31AM -0400, Mimi Zohar wrote:
> The openssl version might not have gost openssl engine support.
> Download from source, rebuild and install local version.
> 
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
>  .travis.yml                  | 10 ++++++++++
>  tests/install-gost-engine.sh | 10 ++++++++++
>  2 files changed, 20 insertions(+)
>  create mode 100755 tests/install-gost-engine.sh
> 
> diff --git a/.travis.yml b/.travis.yml
> index 11a827c02f0a..887f6bbea9b9 100644
> --- a/.travis.yml
> +++ b/.travis.yml
> @@ -15,6 +15,13 @@ matrix:
>     include:
>       - env: TSS=ibmtss
>       - env: TSS=tpm2-tss
> +
> +before_install:
> +   - if [ "${SSL}" = "openssl" ]; then
> +        ./tests/install-gost-engine.sh;
> +        openssl version;
> +     fi
> +
>  install:
>     - if [ "${TSS}" = "tpm2-tss" ]; then
>             sudo apt-get install lcov pandoc autoconf-archive liburiparser-dev;
> @@ -30,6 +37,9 @@ install:
>  script:
>     - export LD_LIBRARY_PATH=/usr/local/lib64:/usr/local/lib;
>     - export PATH=$PATH:/usr/local/bin;
> +   - if [ "${SSL}" = "openssl" ]; then
> +        export OPENSSL_ENGINES="$OPENSSL_ENGINES:$PWD/engines/bin";

Should be `export OPENSSL_ENGINES=$PWD/engines/bin` since
OPENSSL_ENGINES is not PATH-like variable, but just a path to engines
dir.

Thanks,

> +     fi
>     - autoreconf -i && ./configure && make -j$(nproc) && sudo make install && VERBOSE=1 make check;
>  
>     - tail -3 tests/ima_hash.log;
> diff --git a/tests/install-gost-engine.sh b/tests/install-gost-engine.sh
> new file mode 100755
> index 000000000000..2563aa4953f7
> --- /dev/null
> +++ b/tests/install-gost-engine.sh
> @@ -0,0 +1,10 @@
> +#!/bin/sh
> +
> +openssl version
> +
> +git clone --branch openssl_1_1_0 https://github.com/gost-engine/engine.git
> +cd engine
> +cmake .
> +cmake --build .
> +# note: install target is missing, later set the environment variable.
> +cd ..
> -- 
> 2.18.4
> 

^ permalink raw reply	[flat|nested] 41+ messages in thread

* Re: [ima-evm-utils: PATCH v1 5/5] ima-evm-utils: travis: openssl gost engine
  2020-08-04 14:45     ` Vitaly Chikunov
@ 2020-08-04 18:11       ` Mimi Zohar
  0 siblings, 0 replies; 41+ messages in thread
From: Mimi Zohar @ 2020-08-04 18:11 UTC (permalink / raw)
  To: Vitaly Chikunov; +Cc: linux-integrity, Petr Vorel, Bruno Meneguele

On Tue, 2020-08-04 at 17:45 +0300, Vitaly Chikunov wrote:
> Mimi,
> 
> On Tue, Aug 04, 2020 at 08:05:31AM -0400, Mimi Zohar wrote:
> > The openssl version might not have gost openssl engine support.
> > Download from source, rebuild and install local version.
> > 
> > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> > ---
> >  .travis.yml                  | 10 ++++++++++
> >  tests/install-gost-engine.sh | 10 ++++++++++
> >  2 files changed, 20 insertions(+)
> >  create mode 100755 tests/install-gost-engine.sh
> > 
> > diff --git a/.travis.yml b/.travis.yml
> > index 11a827c02f0a..887f6bbea9b9 100644
> > --- a/.travis.yml
> > +++ b/.travis.yml
> > @@ -15,6 +15,13 @@ matrix:
> >     include:
> >       - env: TSS=ibmtss
> >       - env: TSS=tpm2-tss
> > +
> > +before_install:
> > +   - if [ "${SSL}" = "openssl" ]; then
> > +        ./tests/install-gost-engine.sh;
> > +        openssl version;
> > +     fi
> > +
> >  install:
> >     - if [ "${TSS}" = "tpm2-tss" ]; then
> >             sudo apt-get install lcov pandoc autoconf-archive liburiparser-dev;
> > @@ -30,6 +37,9 @@ install:
> >  script:
> >     - export LD_LIBRARY_PATH=/usr/local/lib64:/usr/local/lib;
> >     - export PATH=$PATH:/usr/local/bin;
> > +   - if [ "${SSL}" = "openssl" ]; then
> > +        export OPENSSL_ENGINES="$OPENSSL_ENGINES:$PWD/engines/bin";
> 
> Should be `export OPENSSL_ENGINES=$PWD/engines/bin` since
> OPENSSL_ENGINES is not PATH-like variable, but just a path to engines
> dir.

Done, thanks.  Assuming there is nothing else, I'll release v1.3.1
tomorrow.

thanks!

Mimi


^ permalink raw reply	[flat|nested] 41+ messages in thread

* Re: [ima-evm-utils: PATCH 5/5] ima-evm-utils: travis: openssl gost engine
  2020-08-04 13:23                             ` Mimi Zohar
@ 2020-08-05  9:42                               ` Petr Vorel
  2020-08-05 13:31                                 ` Mimi Zohar
                                                   ` (2 more replies)
  0 siblings, 3 replies; 41+ messages in thread
From: Petr Vorel @ 2020-08-05  9:42 UTC (permalink / raw)
  To: Mimi Zohar; +Cc: Vitaly Chikunov, linux-integrity, Bruno Meneguele

Hi Mimi, Vitaly,

...
> "[PATCH v3 1/1] tpm: add sysfs exports for all banks of PCR registers"
> was posted here on the linux-integrity mailing list[1].  It's important
> to get this patch upstreamed, but I think the PCR file format is useful
> on its own.  For this reason, I'm going to backtrack and include it in
> 1.3.1.
Thanks a lot for info!

> I've posted a new version of "travis: openssl gost engine" addressing
> the branch version and lack of an install target.   It assumes that
> openssl was built with engine support and builds the gost engine
> support from the git repo.  The environment variable is set, but has
> not been tested.

> Everything, including this change, should now be in the next-testing
> branch.
Nice, thanks! Tested:
https://travis-ci.org/github/pevik/ima-evm-utils

I hope I'll have time for docker based travis patch next week.

Kind regards,
Petr

> [1] message-id: 
> 20200722155739.26957-2-James.Bottomley@HansenPartnership.com

^ permalink raw reply	[flat|nested] 41+ messages in thread

* Re: [ima-evm-utils: PATCH 5/5] ima-evm-utils: travis: openssl gost engine
  2020-08-05  9:42                               ` Petr Vorel
@ 2020-08-05 13:31                                 ` Mimi Zohar
  2020-08-05 16:23                                   ` Vitaly Chikunov
  2020-08-05 16:18                                 ` Vitaly Chikunov
  2020-08-11 17:33                                 ` Petr Vorel
  2 siblings, 1 reply; 41+ messages in thread
From: Mimi Zohar @ 2020-08-05 13:31 UTC (permalink / raw)
  To: Petr Vorel; +Cc: Vitaly Chikunov, linux-integrity, Bruno Meneguele

On Wed, 2020-08-05 at 11:42 +0200, Petr Vorel wrote:
> Hi Mimi, Vitaly,
> 
> ...
> > "[PATCH v3 1/1] tpm: add sysfs exports for all banks of PCR registers"
> > was posted here on the linux-integrity mailing list[1].  It's important
> > to get this patch upstreamed, but I think the PCR file format is useful
> > on its own.  For this reason, I'm going to backtrack and include it in
> > 1.3.1.
> Thanks a lot for info!
> 
> > I've posted a new version of "travis: openssl gost engine" addressing
> > the branch version and lack of an install target.   It assumes that
> > openssl was built with engine support and builds the gost engine
> > support from the git repo.  The environment variable is set, but has
> > not been tested.
> > Everything, including this change, should now be in the next-testing
> > branch.
> Nice, thanks! Tested:
> https://travis-ci.org/github/pevik/ima-evm-utils

From the log, I see I somehow re-introduced testing "${SSL}" =
"openssl".  I've removed it again and pushed out the update version.

> I hope I'll have time for docker based travis patch next week.

Thanks!

Mimi


^ permalink raw reply	[flat|nested] 41+ messages in thread

* Re: [ima-evm-utils: PATCH 5/5] ima-evm-utils: travis: openssl gost engine
  2020-08-05  9:42                               ` Petr Vorel
  2020-08-05 13:31                                 ` Mimi Zohar
@ 2020-08-05 16:18                                 ` Vitaly Chikunov
  2020-08-11 17:33                                 ` Petr Vorel
  2 siblings, 0 replies; 41+ messages in thread
From: Vitaly Chikunov @ 2020-08-05 16:18 UTC (permalink / raw)
  To: Petr Vorel; +Cc: Mimi Zohar, linux-integrity, Bruno Meneguele

Petr,

On Wed, Aug 05, 2020 at 11:42:15AM +0200, Petr Vorel wrote:
> Hi Mimi, Vitaly,
> 
> ...
> > "[PATCH v3 1/1] tpm: add sysfs exports for all banks of PCR registers"
> > was posted here on the linux-integrity mailing list[1].  It's important
> > to get this patch upstreamed, but I think the PCR file format is useful
> > on its own.  For this reason, I'm going to backtrack and include it in
> > 1.3.1.
> Thanks a lot for info!
> 
> > I've posted a new version of "travis: openssl gost engine" addressing
> > the branch version and lack of an install target.   It assumes that
> > openssl was built with engine support and builds the gost engine
> > support from the git repo.  The environment variable is set, but has
> > not been tested.
> 
> > Everything, including this change, should now be in the next-testing
> > branch.
> Nice, thanks! Tested:
> https://travis-ci.org/github/pevik/ima-evm-utils

Probably not.

I still see there

  https://travis-ci.org/github/pevik/ima-evm-utils/jobs/715092182
  https://travis-ci.org/github/pevik/ima-evm-utils/jobs/715092183

SSL is not set and ./tests/install-gost-engine.sh is not run.
At the bottom we can see

  2077 $ tail -3 tests/ima_hash.log;
  2078 PASS: 14 SKIP: 4 FAIL: 0
  2082 $ tail -3 tests/sign_verify.log;
  2083 PASS: 81 SKIP: 10 FAIL: 0

This means that some tests aren't run. Probably, this is engine related
tests.

Thanks,

> 
> I hope I'll have time for docker based travis patch next week.
> 
> Kind regards,
> Petr
> 
> > [1] message-id: 
> > 20200722155739.26957-2-James.Bottomley@HansenPartnership.com

^ permalink raw reply	[flat|nested] 41+ messages in thread

* Re: [ima-evm-utils: PATCH 5/5] ima-evm-utils: travis: openssl gost engine
  2020-08-05 13:31                                 ` Mimi Zohar
@ 2020-08-05 16:23                                   ` Vitaly Chikunov
  0 siblings, 0 replies; 41+ messages in thread
From: Vitaly Chikunov @ 2020-08-05 16:23 UTC (permalink / raw)
  To: Mimi Zohar; +Cc: Petr Vorel, linux-integrity, Bruno Meneguele

Mimi,

On Wed, Aug 05, 2020 at 09:31:40AM -0400, Mimi Zohar wrote:
> On Wed, 2020-08-05 at 11:42 +0200, Petr Vorel wrote:
> > Hi Mimi, Vitaly,
> > 
> > ...
> > > "[PATCH v3 1/1] tpm: add sysfs exports for all banks of PCR registers"
> > > was posted here on the linux-integrity mailing list[1].  It's important
> > > to get this patch upstreamed, but I think the PCR file format is useful
> > > on its own.  For this reason, I'm going to backtrack and include it in
> > > 1.3.1.
> > Thanks a lot for info!
> > 
> > > I've posted a new version of "travis: openssl gost engine" addressing
> > > the branch version and lack of an install target.   It assumes that
> > > openssl was built with engine support and builds the gost engine
> > > support from the git repo.  The environment variable is set, but has
> > > not been tested.
> > > Everything, including this change, should now be in the next-testing
> > > branch.
> > Nice, thanks! Tested:
> > https://travis-ci.org/github/pevik/ima-evm-utils
> 
> >From the log, I see I somehow re-introduced testing "${SSL}" =
> "openssl".  I've removed it again and pushed out the update version.

Maybe I am fetching wrong, but it's still there.

origin is https://git.code.sf.net/p/linux-ima/ima-evm-utils

  $ git fetch origin
  $ git show -m origin/next-testing
  commit 76121b08b479f60a773653889070546002c2e826
  ...
  +before_install:
  +   - if [ "${SSL}" = "openssl" ]; then
  +        ./tests/install-gost-engine.sh;
  +        openssl version;
  +     fi

Thanks,


> 
> > I hope I'll have time for docker based travis patch next week.
> 
> Thanks!
> 
> Mimi

^ permalink raw reply	[flat|nested] 41+ messages in thread

* Re: [ima-evm-utils: PATCH 5/5] ima-evm-utils: travis: openssl gost engine
  2020-08-05  9:42                               ` Petr Vorel
  2020-08-05 13:31                                 ` Mimi Zohar
  2020-08-05 16:18                                 ` Vitaly Chikunov
@ 2020-08-11 17:33                                 ` Petr Vorel
  2020-08-11 22:04                                   ` Mimi Zohar
  2 siblings, 1 reply; 41+ messages in thread
From: Petr Vorel @ 2020-08-11 17:33 UTC (permalink / raw)
  To: Mimi Zohar; +Cc: Vitaly Chikunov, linux-integrity

Hi Mimi, Vitaly,

> > Everything, including this change, should now be in the next-testing
> > branch.
> Nice, thanks! Tested:
> https://travis-ci.org/github/pevik/ima-evm-utils

> I hope I'll have time for docker based travis patch next week.

I prototype docker based Travis [1] (still WIP). It tests various distros,
including cross-compilation, using also clang, even one build with musl (Alpine
distro). But there are many failures.

The biggest problem is with ibmswtpm2 [2], which contain tpm_server binary. This
project is not packaged in distros, compiles only with gcc (no clang, I tested
versions 1332 and 1637) and ignore CFLAGS and LDFLAGS settings. It doesn't even
have git repository (the one on sourceforge is empty).
We could simply patch this file, but I'm not going to do it.
I guess I just skip tpm_server dependency for all non-native projects.
I also need always install gcc even clang is going to be used due tpm_server.

It also find bug in m4/manpage-docbook-xsl.m4 for Alpine, found custom xml
catalog, but value is not redirected into the variable.

Kind regards,
Petr

[1] https://travis-ci.org/github/pevik/ima-evm-utils/builds/716990585
[2] https://sourceforge.net/projects/ibmswtpm2/


^ permalink raw reply	[flat|nested] 41+ messages in thread

* Re: [ima-evm-utils: PATCH 5/5] ima-evm-utils: travis: openssl gost engine
  2020-08-11 17:33                                 ` Petr Vorel
@ 2020-08-11 22:04                                   ` Mimi Zohar
  2020-08-12 13:05                                     ` Petr Vorel
  0 siblings, 1 reply; 41+ messages in thread
From: Mimi Zohar @ 2020-08-11 22:04 UTC (permalink / raw)
  To: Petr Vorel; +Cc: Vitaly Chikunov, linux-integrity

On Tue, 2020-08-11 at 19:33 +0200, Petr Vorel wrote:
> Hi Mimi, Vitaly,
> 
> > > Everything, including this change, should now be in the next-testing
> > > branch.
> > Nice, thanks! Tested:
> > https://travis-ci.org/github/pevik/ima-evm-utils
> > I hope I'll have time for docker based travis patch next week.
> 
> I prototype docker based Travis [1] (still WIP). It tests various distros,
> including cross-compilation, using also clang, even one build with musl (Alpine
> distro). But there are many failures.
> 
> The biggest problem is with ibmswtpm2 [2], which contain tpm_server binary. This
> project is not packaged in distros, compiles only with gcc (no clang, I tested
> versions 1332 and 1637) and ignore CFLAGS and LDFLAGS settings. It doesn't even
> have git repository (the one on sourceforge is empty).
> We could simply patch this file, but I'm not going to do it.
> I guess I just skip tpm_server dependency for all non-native projects.
> I also need always install gcc even clang is going to be used due tpm_server.

Agreed, getting docker/travis working is independent of tpm_server. 
Without a software TPM, the boot_aggregate test will be skipped.  For
now, until we can straighten this out,  I would modify "make check" to
run the other tests (e.g. make check TESTS="ima_hash.test
sign_verify.test").

thanks,

Mimi

> 
> It also find bug in m4/manpage-docbook-xsl.m4 for Alpine, found custom xml
> catalog, but value is not redirected into the variable.
> 
> Kind regards,
> Petr
> 
> [1] https://travis-ci.org/github/pevik/ima-evm-utils/builds/716990585
> [2] https://sourceforge.net/projects/ibmswtpm2/
> 



^ permalink raw reply	[flat|nested] 41+ messages in thread

* Re: [ima-evm-utils: PATCH 5/5] ima-evm-utils: travis: openssl gost engine
  2020-08-11 22:04                                   ` Mimi Zohar
@ 2020-08-12 13:05                                     ` Petr Vorel
  2020-08-13 18:15                                       ` Mimi Zohar
  0 siblings, 1 reply; 41+ messages in thread
From: Petr Vorel @ 2020-08-12 13:05 UTC (permalink / raw)
  To: Mimi Zohar; +Cc: Vitaly Chikunov, linux-integrity

Hi Mimi, Vitaly,

...
> > I prototype docker based Travis [1] (still WIP). It tests various distros,
> > including cross-compilation, using also clang, even one build with musl (Alpine
> > distro). But there are many failures.

> > The biggest problem is with ibmswtpm2 [2], which contain tpm_server binary. This
> > project is not packaged in distros, compiles only with gcc (no clang, I tested
> > versions 1332 and 1637) and ignore CFLAGS and LDFLAGS settings. It doesn't even
> > have git repository (the one on sourceforge is empty).
> > We could simply patch this file, but I'm not going to do it.
> > I guess I just skip tpm_server dependency for all non-native projects.
> > I also need always install gcc even clang is going to be used due tpm_server.

> Agreed, getting docker/travis working is independent of tpm_server. 
> Without a software TPM, the boot_aggregate test will be skipped.  For
> now, until we can straighten this out,  I would modify "make check" to
> run the other tests (e.g. make check TESTS="ima_hash.test
> sign_verify.test").
Yes, specifying tests to be tested is an option. But if skipping the compilation
for non-native builds works (e.g. tests which don't specify $VARIANT), I'd go
this way. That help us not having to remember to update tests for non-native
builds (once the new ones are added).

Gost: I just installed it for Debian / Ubuntu, which have a package. Not sure if
it's enough.

Any objections to distros used or anything else?
I'll have look on during this week and hopefully send v1 patchset.

> thanks,

> Mimi


> > It also find bug in m4/manpage-docbook-xsl.m4 for Alpine, found custom xml
> > catalog, but value is not redirected into the variable.
This is not a priority. I'll have look into this sometime in my non-work time
(Alpine doesn't have ima-evm-utils package).

Kind regards,
Petr

> > [1] https://travis-ci.org/github/pevik/ima-evm-utils/builds/716990585
> > [2] https://sourceforge.net/projects/ibmswtpm2/

^ permalink raw reply	[flat|nested] 41+ messages in thread

* Re: [ima-evm-utils: PATCH 5/5] ima-evm-utils: travis: openssl gost engine
  2020-08-12 13:05                                     ` Petr Vorel
@ 2020-08-13 18:15                                       ` Mimi Zohar
  2020-08-13 18:28                                         ` Petr Vorel
  0 siblings, 1 reply; 41+ messages in thread
From: Mimi Zohar @ 2020-08-13 18:15 UTC (permalink / raw)
  To: Petr Vorel; +Cc: Vitaly Chikunov, linux-integrity

On Wed, 2020-08-12 at 15:05 +0200, Petr Vorel wrote:
> Hi Mimi, Vitaly,
> 
> ...
> > > I prototype docker based Travis [1] (still WIP). It tests various distros,
> > > including cross-compilation, using also clang, even one build with musl (Alpine
> > > distro). But there are many failures.
> > > The biggest problem is with ibmswtpm2 [2], which contain tpm_server binary. This
> > > project is not packaged in distros, compiles only with gcc (no clang, I tested
> > > versions 1332 and 1637) and ignore CFLAGS and LDFLAGS settings. It doesn't even
> > > have git repository (the one on sourceforge is empty).
> > > We could simply patch this file, but I'm not going to do it.
> > > I guess I just skip tpm_server dependency for all non-native projects.
> > > I also need always install gcc even clang is going to be used due tpm_server.
> > Agreed, getting docker/travis working is independent of tpm_server. 
> > Without a software TPM, the boot_aggregate test will be skipped.  For
> > now, until we can straighten this out,  I would modify "make check" to
> > run the other tests (e.g. make check TESTS="ima_hash.test
> > sign_verify.test").
> Yes, specifying tests to be tested is an option. But if skipping the compilation
> for non-native builds works (e.g. tests which don't specify $VARIANT), I'd go
> this way. That help us not having to remember to update tests for non-native
> builds (once the new ones are added).

Sure.  libtmps/swtpm could be installed in lieu of the ibmswtpm2. 
Sample directions for using it are here: 
https://github.com/stefanberger/swtpm/wiki/Using-the-IBM-TSS-with-swtpm
.

thanks,

Mimi


^ permalink raw reply	[flat|nested] 41+ messages in thread

* Re: [ima-evm-utils: PATCH 5/5] ima-evm-utils: travis: openssl gost engine
  2020-08-13 18:15                                       ` Mimi Zohar
@ 2020-08-13 18:28                                         ` Petr Vorel
  2020-08-13 20:11                                           ` Mimi Zohar
  0 siblings, 1 reply; 41+ messages in thread
From: Petr Vorel @ 2020-08-13 18:28 UTC (permalink / raw)
  To: Mimi Zohar; +Cc: Vitaly Chikunov, linux-integrity

Hi Mimi, Vitaly,

...
> > > > The biggest problem is with ibmswtpm2 [2], which contain tpm_server binary. This
> > > > project is not packaged in distros, compiles only with gcc (no clang, I tested
> > > > versions 1332 and 1637) and ignore CFLAGS and LDFLAGS settings. It doesn't even
> > > > have git repository (the one on sourceforge is empty).
> > > > We could simply patch this file, but I'm not going to do it.
> > > > I guess I just skip tpm_server dependency for all non-native projects.
> > > > I also need always install gcc even clang is going to be used due tpm_server.
> > > Agreed, getting docker/travis working is independent of tpm_server. 
> > > Without a software TPM, the boot_aggregate test will be skipped.  For
> > > now, until we can straighten this out,  I would modify "make check" to
> > > run the other tests (e.g. make check TESTS="ima_hash.test
> > > sign_verify.test").
> > Yes, specifying tests to be tested is an option. But if skipping the compilation
> > for non-native builds works (e.g. tests which don't specify $VARIANT), I'd go
> > this way. That help us not having to remember to update tests for non-native
> > builds (once the new ones are added).

> Sure.  libtmps/swtpm could be installed in lieu of the ibmswtpm2. 
> Sample directions for using it are here: 
> https://github.com/stefanberger/swtpm/wiki/Using-the-IBM-TSS-with-swtpm

Nice!
I've just send a patch which builds green without this (ibmswtpm2 is installed
just for native gcc builds). I'd prefer to leave this for somebody else.

Kind regards,
Petr

^ permalink raw reply	[flat|nested] 41+ messages in thread

* Re: [ima-evm-utils: PATCH 5/5] ima-evm-utils: travis: openssl gost engine
  2020-08-13 18:28                                         ` Petr Vorel
@ 2020-08-13 20:11                                           ` Mimi Zohar
  0 siblings, 0 replies; 41+ messages in thread
From: Mimi Zohar @ 2020-08-13 20:11 UTC (permalink / raw)
  To: Petr Vorel; +Cc: Vitaly Chikunov, linux-integrity

On Thu, 2020-08-13 at 20:28 +0200, Petr Vorel wrote:
> Hi Mimi, Vitaly,
> 
> ...
> > > > > The biggest problem is with ibmswtpm2 [2], which contain tpm_server binary. This
> > > > > project is not packaged in distros, compiles only with gcc (no clang, I tested
> > > > > versions 1332 and 1637) and ignore CFLAGS and LDFLAGS settings. It doesn't even
> > > > > have git repository (the one on sourceforge is empty).
> > > > > We could simply patch this file, but I'm not going to do it.
> > > > > I guess I just skip tpm_server dependency for all non-native projects.
> > > > > I also need always install gcc even clang is going to be used due tpm_server.
> > > > Agreed, getting docker/travis working is independent of tpm_server. 
> > > > Without a software TPM, the boot_aggregate test will be skipped.  For
> > > > now, until we can straighten this out,  I would modify "make check" to
> > > > run the other tests (e.g. make check TESTS="ima_hash.test
> > > > sign_verify.test").
> > > Yes, specifying tests to be tested is an option. But if skipping the compilation
> > > for non-native builds works (e.g. tests which don't specify $VARIANT), I'd go
> > > this way. That help us not having to remember to update tests for non-native
> > > builds (once the new ones are added).
> > Sure.  libtmps/swtpm could be installed in lieu of the ibmswtpm2. 
> > Sample directions for using it are here: 
> > https://github.com/stefanberger/swtpm/wiki/Using-the-IBM-TSS-with-swtpm
> 
> Nice!
> I've just send a patch which builds green without this (ibmswtpm2 is installed
> just for native gcc builds). I'd prefer to leave this for somebody else.

Wow, I saw the "green" button.  Thank you so much for spending so much
time on this.  Yes, of course we'll add the libtmps/swtpm support.

Mimi


^ permalink raw reply	[flat|nested] 41+ messages in thread

end of thread, other threads:[~2020-08-13 20:11 UTC | newest]

Thread overview: 41+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-31 18:24 [ima-evm-utils: PATCH 0/5] initial travis support Mimi Zohar
2020-07-31 18:24 ` [ima-evm-utils: PATCH 1/5] ima-evm-utils: travis: define travis.yml Mimi Zohar
2020-07-31 18:24 ` [ima-evm-utils: PATCH 2/5] ima-evm-utils: travis: download, compile, and install a swTPM Mimi Zohar
2020-07-31 18:24 ` [ima-evm-utils: PATCH 3/5] ima-evm-utils: travis: dependency on TSS for initializing software TPM Mimi Zohar
2020-07-31 18:24 ` [ima-evm-utils: PATCH 4/5] ima-evm-utils: travis: support tpm2-tss Mimi Zohar
2020-07-31 18:24 ` [ima-evm-utils: PATCH 5/5] ima-evm-utils: travis: openssl gost engine Mimi Zohar
2020-07-31 18:56   ` Vitaly Chikunov
2020-07-31 20:18     ` Petr Vorel
2020-07-31 20:26       ` Vitaly Chikunov
2020-07-31 20:40         ` Petr Vorel
2020-07-31 21:06           ` Vitaly Chikunov
2020-07-31 22:32             ` Mimi Zohar
2020-08-03  3:09               ` Mimi Zohar
2020-08-03 13:07                 ` Petr Vorel
2020-08-03 14:29                   ` Mimi Zohar
2020-08-03 16:46                     ` Petr Vorel
2020-08-03 17:16                       ` Mimi Zohar
2020-08-04  7:22                         ` Petr Vorel
2020-08-04  7:54                           ` Petr Vorel
2020-08-04 13:23                             ` Mimi Zohar
2020-08-05  9:42                               ` Petr Vorel
2020-08-05 13:31                                 ` Mimi Zohar
2020-08-05 16:23                                   ` Vitaly Chikunov
2020-08-05 16:18                                 ` Vitaly Chikunov
2020-08-11 17:33                                 ` Petr Vorel
2020-08-11 22:04                                   ` Mimi Zohar
2020-08-12 13:05                                     ` Petr Vorel
2020-08-13 18:15                                       ` Mimi Zohar
2020-08-13 18:28                                         ` Petr Vorel
2020-08-13 20:11                                           ` Mimi Zohar
2020-08-03 16:32               ` Vitaly Chikunov
2020-08-03 16:36                 ` Petr Vorel
2020-08-03 17:26             ` Mimi Zohar
2020-08-03 18:42               ` Vitaly Chikunov
2020-08-03  2:53           ` Mimi Zohar
2020-08-03 13:11             ` Petr Vorel
2020-08-03 14:33               ` Mimi Zohar
2020-08-04 12:05   ` [ima-evm-utils: PATCH v1 " Mimi Zohar
2020-08-04 14:45     ` Vitaly Chikunov
2020-08-04 18:11       ` Mimi Zohar
2020-07-31 20:19 ` [ima-evm-utils: PATCH 0/5] initial travis support Petr Vorel

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).